{ config, pkgs, ... }: let local-dns = pkgs.runCommand "local-dns" {} '' mkdir -p $out/bin cp ${./local-dns} $out/bin/local-dns ''; in { environment.systemPackages = [ local-dns ]; services.unbound = { enable = true; enableRootTrustAnchor = false; extraConfig = '' include: /var/lib/unbound/unbound-resolvconf.conf remote-control: control-enable: yes control-interface: /var/lib/unbound/unbound.sock ''; }; # make unbound use unbound group instead so that the control socket is secure # instead of being in nogroup users.users.unbound.group = "unbound"; users.groups.unbound = {}; # actually have openresolv update our DNS networking.resolvconf.extraConfig = '' unbound_conf=/var/lib/unbound/unbound-resolvconf.conf unbound_restart="${pkgs.unbound}/bin/unbound-control -c /var/lib/unbound/unbound.conf reload || true" ''; }