2 files changed, 22 insertions, 76 deletions
diff --git a/archetypes/profiles/router/default.nix b/archetypes/profiles/router/default.nix
index 0818a6b..646982b 100644
--- a/archetypes/profiles/router/default.nix
+++ b/archetypes/profiles/router/default.nix
@@ -1,12 +1,28 @@
 { lib, pkgs, ... }: let
 	mkRouter = lib.mkOverride 800;
 
-	# TODO pass mkRouter
-	#imports = [
-	#	./unbound.nix
-	#];
-
-	nixosConfig = {};
+	nixosConfig = {
+		services.unbound = {
+			_blocklists = {
+				enable = true;
+				blocklists = {
+					hageziNSFW = [
+						"https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/rpz/nsfw.txt"
+						"https://gitlab.com/hagezi/mirror/-/raw/main/dns-blocklists/rpz/nsfw.txt"
+						"https://codeberg.org/hagezi/mirror2/raw/branch/main/dns-blocklists/rpz/nsfw.txt"
+					];
+					hageziPro = [
+						"https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/rpz/pro.txt"
+						"https://gitlab.com/hagezi/mirror/-/raw/main/dns-blocklists/rpz/pro.txt"
+						"https://codeberg.org/hagezi/mirror2/raw/branch/main/dns-blocklists/rpz/pro.txt"
+					];
+				};
+			};
+		};
+		services._router.dnsDhcpConfig = {
+			enable = mkRouter true;
+		};
+	};
 
 	homeConfig = {};
 in {
diff --git a/archetypes/profiles/router/unbound.nix b/archetypes/profiles/router/unbound.nix
deleted file mode 100644
index 1322193..0000000
--- a/archetypes/profiles/router/unbound.nix
+++ /dev/null
@@ -1,70 +0,0 @@
-{
-	services.unbound = {
-		enable = true;
-		_blocklists = {
-			enable = true;
-			blocklists = {
-				hageziNSFW = [
-					"https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/rpz/nsfw.txt"
-					"https://gitlab.com/hagezi/mirror/-/raw/main/dns-blocklists/rpz/nsfw.txt"
-					"https://codeberg.org/hagezi/mirror2/raw/branch/main/dns-blocklists/rpz/nsfw.txt"
-				];
-				hageziPro = [
-					"https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/rpz/pro.txt"
-					"https://gitlab.com/hagezi/mirror/-/raw/main/dns-blocklists/rpz/pro.txt"
-					"https://codeberg.org/hagezi/mirror2/raw/branch/main/dns-blocklists/rpz/pro.txt"
-				];
-			};
-		};
-		settings = {
-			server = {
-				# Listen on all interfaces (or specify specific IPs)
-				interface = [ "0.0.0.0" "::0" ];
-
-				# Allow queries from local networks
-				access-control = [
-					"127.0.0.0/8 allow"
-					"192.168.0.0/16 allow"
-					"10.0.0.0/8 allow"
-					"172.16.0.0/12 allow"
-				];
-
-				## Enable DNSSEC validation
-				#auto-trust-anchor-file: "/var/unbound/root.key"
-
-				# Harden against out-of-zone data
-				harden-referral-path = true;
-				harden-dnssec-stripped = true;
-
-				# Privacy options
-				qname-minimisation = true;
-
-				# Cache settings
-				cache-min-ttl = 300;
-				cache-max-ttl = 86400;
-
-				# Hide version
-				hide-identity = true;
-				hide-version = true;
-
-				# Based on recommended settings in https://docs.pi-hole.net/guides/dns/unbound/#configure-unbound
-				harden-glue = true;
-				use-caps-for-id = false;
-				prefetch = true;
-				edns-buffer-size = 1232;
-			};
-			# Forward unknown to public resolver via DoT
-			forward-zone = [
-				{
-					name = ".";
-					forward-addr = [
-						"9.9.9.9#dns.quad9.net"
-						"149.112.112.112#dns.quad9.net"
-					];
-					forward-tls-upstream = true;	# Encrypted DNS
-				}
-			];
-			remote-control.control-enable = true;
-		};
-	};
-}