{ config, lib, ... }:
{

  options = {
    mainInterface = lib.mkOption {
      type = lib.types.str;
    };
  };
  config = {
    environment.etc."unbound/ads.zone".text = ''
      tiktock.com CNAME .
      *.tiktock.com CNAME .
      iogames.space CNAME .
      *.iogames.space CNAME .
      taming.io CNAME .
      *.taming.io CNAME .
    '';

    networking = {
      firewall = {
        allowedUDPPorts = [
          53
        ];
        allowedTCPPorts = [ 53 ];
      };
    };

    services = {
      unbound = {
        enable = true;
        localControlSocketPath = "/var/lib/unbound/control.sock";
        settings = {
          server = {
            do-ip6 = "no";
            qname-minimisation = "yes";
            interface = [ config.mainInterface ];
            access-control = [
              "10.0.0.0/8 allow"
              "fc::/7 allow"
            ];
          };
          include = [
            "${../configs/unbound-local.conf}"
            "${../configs/unbound-threat-zone.conf}"
            "${../configs/unbound-local-block.conf}"
          ];
        };
      };
    };
  };
}