4 files changed, 28 insertions, 2 deletions

diff --git a/flake.nix b/flake.nix
index b6ac68a..1462d06 100644
--- a/flake.nix
+++ b/flake.nix
@@ -58,7 +58,7 @@
         }
         {
           type = "services";
-          modules = [ "blocky" "searx" "ssh" ];
+          modules = [ "dns" "searx" "ssh" ];
         }
       ])
       (mkSystem "odin" inputs.nixpkgs [
diff --git a/hosts/heimdall/default.nix b/hosts/heimdall/default.nix
index 50bbbaf..7aed928 100644
--- a/hosts/heimdall/default.nix
+++ b/hosts/heimdall/default.nix
@@ -37,6 +37,6 @@
   programs.motd = {
     enable = true;
     networkInterfaces = lib.lists.singleton "eno1";
-    servicesToCheck = [ "blocky" "searx" ];
+    servicesToCheck = [ "searx" "unbound" ];
   };
 }
diff --git a/modules/services/blocky/default.nix b/modules/retired/blocky/default.nix
index ca58f4f..ca58f4f 100644
--- a/modules/services/blocky/default.nix
+++ b/modules/retired/blocky/default.nix
diff --git a/modules/services/dns/default.nix b/modules/services/dns/default.nix
new file mode 100644
index 0000000..e229da3
--- /dev/null
+++ b/modules/services/dns/default.nix
@@ -0,0 +1,26 @@
+{ pkgs, ... }:
+{
+  services.unbound = {
+    enable = true;
+    package = pkgs.unbound-with-systemd;
+    enableRootTrustAnchor = true;
+    resolveLocalQueries = true;
+    settings.server = {
+      interface = [ "0.0.0.0" ];
+      port = 53;
+      access-control = [ "10.44.0.0/16 allow" ];
+      harden-glue = true;
+      harden-dnssec-stripped = true;
+      use-caps-for-id = false;
+      edns-buffer-size = 1232;
+      prefetch = true;
+      hide-identity = true;
+      hide-version = true;
+    };
+  };
+
+  networking.firewall = {
+    allowedTCPPorts = [ 53 ];
+    allowedUDPPorts = [ 53 ];
+  };
+}