From 52cac17f16db360954a787235a5d1a068bf68f64 Mon Sep 17 00:00:00 2001
From: Astro <astro@spaceboyz.net>
Date: Wed, 14 Apr 2021 23:25:21 +0200
Subject: [PATCH] nixos-module/container/dnscache: set tls-cert-bundle

---
 nix/nixos-module/container/dnscache.nix | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/nix/nixos-module/container/dnscache.nix b/nix/nixos-module/container/dnscache.nix
index accd48a..4c61c19 100644
--- a/nix/nixos-module/container/dnscache.nix
+++ b/nix/nixos-module/container/dnscache.nix
@@ -1,4 +1,4 @@
-{ hostName, config, lib, ... }:
+{ hostName, config, lib, pkgs, ... }:
 
 lib.mkIf config.site.hosts.${hostName}.services.dnscache.enable {
   services.unbound = {
@@ -34,6 +34,7 @@ lib.mkIf config.site.hosts.${hostName}.services.dnscache.enable {
         forward-addr: 1.0.0.1@853#cloudflare-dns.com
 
       server:
+        tls-cert-bundle: ${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt
         # allow reverse lookup of rfc1918 space, which includes the DN42 address space
         unblock-lan-zones: yes
         insecure-lan-zones: yes