{ config, lib, ... }:
with lib;
let
  cfg = config.eboskma.unbound;
in
{
  options.eboskma.unbound = { enable = mkEnableOption "unbound DNS"; };

  config = mkIf cfg.enable {
    services.unbound = {
      enable = true;
      localControlSocketPath = "/run/unbound/unbound.ctl";
      settings = {
        server = {
          # Setting logfile to an empty string outputs to stderr
          log-queries = false;
          verbosity = 1;

          port = 5335;
          do-ip4 = true;
          do-ip6 = true;
          do-udp = true;
          do-tcp = true;
          prefer-ip6 = true;

          hide-identity = true;
          hide-version = true;

          # Trust glue only if it is within the server's authority
          harden-glue = true;

          # Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
          harden-dnssec-stripped = true;

          harden-referral-path = true;

          # Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
          # see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
          use-caps-for-id = false;

          # Reduce EDNS reassembly buffer size.
          # Suggested by the unbound man page to reduce fragmentation reassembly problems
          edns-buffer-size = 1472;

          # Perform prefetching of close to expired message cache entries
          # This only applies to domains that have been frequently queried
          prefetch = true;
          prefetch-key = true;

          # This attempts to reduce latency by serving the outdated record before
          # updating it instead of the other way around. Alternative is to increase
          # cache-min-ttl to e.g. 3600.
          cache-min-ttl = 0;
          serve-expired = true;

          rrset-cache-size = "256m";
          msg-cache-size = "128m";
          msg-cache-slabs = 4;
          # One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1.
          num-threads = 2;

          # Ensure kernel buffer is large enough to not lose messages in traffic spikes
          so-rcvbuf = "1m";

          # Ensure privacy of local IP ranges
          private-address = [
            "192.168.0.0/16"
            "169.254.0.0/16"
            "172.16.0.0/12"
            "10.0.0.0/8"
            "fd00::/8"
            "fe80::/10"
          ];
        };
      };
    };
  };
}