From f23ad4b0ee6a011acd6d6bb04e842bfe454c8c11 Mon Sep 17 00:00:00 2001
From: kenny <theozuang@gmail.com>
Date: Fri, 16 Jan 2026 18:44:57 +0200
Subject: [PATCH] Added unbound DNS module + added to puter

---
 hosts/puter/default.nix          |  1 +
 modules/common/unbound-cloud.nix | 38 ++++++++++++++++++++++++++++++++
 2 files changed, 39 insertions(+)
 create mode 100644 modules/common/unbound-cloud.nix

diff --git a/hosts/puter/default.nix b/hosts/puter/default.nix
index 40a448d..90b165b 100644
--- a/hosts/puter/default.nix
+++ b/hosts/puter/default.nix
@@ -24,6 +24,7 @@
     ../../modules/common/wine.nix
     ../../modules/common/libvirt.nix
     ../../modules/common/keyd.nix
+    ../../modules/common/unbound-cloud.nix
   ];
   networking.hostName = "puter";
   # This will be overridden by system/default.nix
diff --git a/modules/common/unbound-cloud.nix b/modules/common/unbound-cloud.nix
new file mode 100644
index 0000000..8d3db75
--- /dev/null
+++ b/modules/common/unbound-cloud.nix
@@ -0,0 +1,38 @@
+{
+  config,
+  pkgs,
+  ...
+}: {
+  services.unbound = {
+    enable = true;
+    settings = {
+      server = {
+        # Listen only locally
+        interface = ["127.0.0.1"];
+        port = 5335;
+        access-control = ["127.0.0.1 allow"];
+
+        # Recommended hardening
+        harden-glue = true;
+        harden-dnssec-stripped = true;
+        use-caps-for-id = false;
+
+        # Performance
+        prefetch = true;
+        edns-buffer-size = 1232;
+
+        # Privacy
+        hide-identity = true;
+        hide-version = true;
+      };
+
+      forward-zone = [
+        {
+          name = ".";
+          forward-addr = ["dns.mycloudhaus.xyz@853"];
+          forward-tls-upstream = true; # Enable DoT
+        }
+      ];
+    };
+  };
+}