{
	services.unbound = {
		enable = true;
		_blocklists = {
			enable = true;
			blocklists = {
				hageziNSFW = [
					"https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/rpz/nsfw.txt"
					"https://gitlab.com/hagezi/mirror/-/raw/main/dns-blocklists/rpz/nsfw.txt"
					"https://codeberg.org/hagezi/mirror2/raw/branch/main/dns-blocklists/rpz/nsfw.txt"
				];
				hageziPro = [
					"https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/rpz/pro.txt"
					"https://gitlab.com/hagezi/mirror/-/raw/main/dns-blocklists/rpz/pro.txt"
					"https://codeberg.org/hagezi/mirror2/raw/branch/main/dns-blocklists/rpz/pro.txt"
				];
			};
		};
		settings = {
			server = {
				# Listen on all interfaces (or specify specific IPs)
				interface = [ "0.0.0.0" "::0" ];

				# Allow queries from local networks
				access-control = [
					"127.0.0.0/8 allow"
					"192.168.0.0/16 allow"
					"10.0.0.0/8 allow"
					"172.16.0.0/12 allow"
				];

				## Enable DNSSEC validation
				#auto-trust-anchor-file: "/var/unbound/root.key"

				# Harden against out-of-zone data
				harden-referral-path = true;
				harden-dnssec-stripped = true;

				# Privacy options
				qname-minimisation = true;

				# Cache settings
				cache-min-ttl = 300;
				cache-max-ttl = 86400;

				# Hide version
				hide-identity = true;
				hide-version = true;

				# Based on recommended settings in https://docs.pi-hole.net/guides/dns/unbound/#configure-unbound
				harden-glue = true;
				use-caps-for-id = false;
				prefetch = true;
				edns-buffer-size = 1232;
			};
			# Forward unknown to public resolver via DoT
			forward-zone = [
				{
					name = ".";
					forward-addr = [
						"9.9.9.9#dns.quad9.net"
						"149.112.112.112#dns.quad9.net"
					];
					forward-tls-upstream = true;	# Encrypted DNS
				}
			];
			remote-control.control-enable = true;
		};
	};
}