{ config, lib, pkgs, ... }:
let
  adblockLocalZones = pkgs.stdenv.mkDerivation {
    name = "unbound-zones-adblock";

    src = (pkgs.fetchFromGitHub {
      owner = "StevenBlack";
      repo = "hosts";
      rev = "3.16.20";
      sha256 = "sha256-z3VWoF5/evd0n97AmrWgSskaNqVaad0Ex2pn53JHkSk=";
    } + "/hosts");

    phases = [ "installPhase" ];

    installPhase = ''
      ${pkgs.gawk}/bin/awk '{sub(/\r$/,"")} {sub(/^127\.0\.0\.1/,"0.0.0.0")} BEGIN { OFS = "" } NF == 2 && $1 == "0.0.0.0" { print "local-zone: \"", $2, "\" static"}' $src | tr '[:upper:]' '[:lower:]' | sort -u >  $out
    '';

  };
in {
  services.resolved.enable = false;
  networking.firewall.allowedTCPPorts = [ 53 ];
  networking.firewall.allowedUDPPorts = [ 53 ];

  services.unbound = {
    enable = true;
    settings = {
      server = {
        port = 53;
        interface = [ "0.0.0.0" "127.0.0.1" ];
        access-control = [
          "127.0.0.0/8 allow"
          "10.0.0.0/8 allow"
          "172.16.0.0/12 allow"
          "192.168.0.0/16 allow"
        ];

        include = [ "${adblockLocalZones}" ];

        num-threads = 2;
        so-reuseport = "yes";
        hide-identity = "yes";
        hide-version = "yes";
        qname-minimisation = "yes";
        harden-dnssec-stripped = "yes";
        prefetch = "yes";
        serve-expired = "yes";
        rrset-roundrobin = "yes";
        do-ip6 = "no";
        do-udp = "yes";
        do-tcp = "yes";
      };
      forward-zone = [{
        name = ".";
        forward-tls-upstream = "yes";
        forward-addr = [
          "1.1.1.1@853#cloudflare-dns.com"
          "1.0.0.1@853#cloudflare-dns.com"
          "8.8.8.8@853#dns.google"
          "8.8.4.4@853#dns.google"
        ];
      }];
    };
  };

  networking.resolvconf.enable = false;
  environment.etc."resolv.conf".text = ''
    nameserver 127.0.0.1
    options edns0
  '';
}