{ hostName, config, lib, pkgs, ... }:

lib.mkIf config.site.hosts.${hostName}.services.dnscache.enable {
  services.unbound = {
    enable = true;
    settings = {
      remote-control = {
        control-enable = true;
        control-use-cert = false;
      };
      server = {
        num-threads = 4;
        verbosity = 1;
        prefetch = true;
        serve-expired = true;
        cache-min-ttl = 60;
        cache-max-ttl = 3600;

        interface = [ "0.0.0.0" "'::0'" ];
        # TODO: generate
        access-control = [
          "fd23:42:c3d2:500::/56 allow"
          "2a00:8180:2000:37::1/128 allow"
          "2a00:8180:2c00:200::/56 allow"
          "::172.20.72.0/117 allow"
          "::172.22.99.0/120 allow"
          "::1/128 allow"
          "172.20.72.0/21 allow"
          "10.0.0.0/24 allow"
          "10.200.0.0/15 allow"
          "172.22.99.0/24 allow"
          "127.0.0.0/8 allow"
          "0.0.0.0/0 deny"
          "::/0 deny"
        ];
        # For DNS over TLS
        tls-cert-bundle = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";

        # allow reverse lookup of rfc1918 space, which includes the DN42 address space
        unblock-lan-zones = true;
        insecure-lan-zones = true;

        domain-insecure = [
          "dn42"
          "d.f.ip6.arpa"
          "ffdd"
        ];
      };

      forward-zone = let
        mkFfddZone = name: {
          inherit name;
          forward-addr = [ "10.200.0.4" "10.200.0.16" ];
        };
      in [ {
        name = ".";
        forward-tls-upstream = true;
        forward-addr = [
          # Quad9
          "2620:fe::fe@853#dns.quad9.net"
          "9.9.9.9@853#dns.quad9.net"
          "2620:fe::9@853#dns.quad9.net"
          "149.112.112.112@853#dns.quad9.net"
          # Cloudflare DNS
          "2606:4700:4700::1111@853#cloudflare-dns.com"
          "1.1.1.1@853#cloudflare-dns.com"
          "2606:4700:4700::1001@853#cloudflare-dns.com"
          "1.0.0.1@853#cloudflare-dns.com"
        ];
      } ] ++
      # Local networks
      map ({ name, ... }: {
          name = "${name}";
          forward-addr = [ "${config.site.net.serv.hosts4.dns}" ] ++
                         map (hosts6: hosts6.dns)
                           (builtins.attrValues config.site.net.serv.hosts6);
      }) config.site.dns.localZones
      # Freifunk
      ++ (map mkFfddZone [
        "ffdd"
        "200.10.in-addr.arpa"
        "201.10.in-addr.arpa"
      ]);
      # DN42
      stub-zone = let
        mkDn42Zone = name: {
          inherit name;
          stub-prime = true;
          stub-addr = [
            "172.20.0.53" "fd42:d42:d42:54::1"
            "172.23.0.53" "fd42:d42:d42:53::1"
          ];
        };
      in map mkDn42Zone [
        "dn42" "d.f.ip6.arpa"
        "20.172.in-addr.arpa" "21.172.in-addr.arpa"
        "22.172.in-addr.arpa" "23.172.in-addr.arpa"
      ];
    };
  };
}