From d4db2f41db471ee25a03d9cdae37f55301b98f22 Mon Sep 17 00:00:00 2001
From: Tim Keller <tjk@tjkeller.xyz>
Date: Tue, 30 Dec 2025 23:38:51 -0600
Subject: unbound config in router profile is now services/router/dns.nix.
 unbound + dnsmasq config for local resolution and dhcp

---
 archetypes/profiles/router/unbound.nix | 70 ----------------------------------
 1 file changed, 70 deletions(-)
 delete mode 100644 archetypes/profiles/router/unbound.nix

(limited to 'archetypes/profiles/router/unbound.nix')

diff --git a/archetypes/profiles/router/unbound.nix b/archetypes/profiles/router/unbound.nix
deleted file mode 100644
index 1322193..0000000
--- a/archetypes/profiles/router/unbound.nix
+++ /dev/null
@@ -1,70 +0,0 @@
-{
-	services.unbound = {
-		enable = true;
-		_blocklists = {
-			enable = true;
-			blocklists = {
-				hageziNSFW = [
-					"https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/rpz/nsfw.txt"
-					"https://gitlab.com/hagezi/mirror/-/raw/main/dns-blocklists/rpz/nsfw.txt"
-					"https://codeberg.org/hagezi/mirror2/raw/branch/main/dns-blocklists/rpz/nsfw.txt"
-				];
-				hageziPro = [
-					"https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/rpz/pro.txt"
-					"https://gitlab.com/hagezi/mirror/-/raw/main/dns-blocklists/rpz/pro.txt"
-					"https://codeberg.org/hagezi/mirror2/raw/branch/main/dns-blocklists/rpz/pro.txt"
-				];
-			};
-		};
-		settings = {
-			server = {
-				# Listen on all interfaces (or specify specific IPs)
-				interface = [ "0.0.0.0" "::0" ];
-
-				# Allow queries from local networks
-				access-control = [
-					"127.0.0.0/8 allow"
-					"192.168.0.0/16 allow"
-					"10.0.0.0/8 allow"
-					"172.16.0.0/12 allow"
-				];
-
-				## Enable DNSSEC validation
-				#auto-trust-anchor-file: "/var/unbound/root.key"
-
-				# Harden against out-of-zone data
-				harden-referral-path = true;
-				harden-dnssec-stripped = true;
-
-				# Privacy options
-				qname-minimisation = true;
-
-				# Cache settings
-				cache-min-ttl = 300;
-				cache-max-ttl = 86400;
-
-				# Hide version
-				hide-identity = true;
-				hide-version = true;
-
-				# Based on recommended settings in https://docs.pi-hole.net/guides/dns/unbound/#configure-unbound
-				harden-glue = true;
-				use-caps-for-id = false;
-				prefetch = true;
-				edns-buffer-size = 1232;
-			};
-			# Forward unknown to public resolver via DoT
-			forward-zone = [
-				{
-					name = ".";
-					forward-addr = [
-						"9.9.9.9#dns.quad9.net"
-						"149.112.112.112#dns.quad9.net"
-					];
-					forward-tls-upstream = true;	# Encrypted DNS
-				}
-			];
-			remote-control.control-enable = true;
-		};
-	};
-}
-- 
cgit v1.2.3