networking: Add DNS via unbound

nixos-config/default.nix

@@ -9,6 +9,7 @@
     flake-inputs.sops-nix.nixosModules.sops
 
     ./greeter
+    ./networking
     ./sway.nix
     ./yubikey.nix
     ../modules
@@ -79,22 +80,15 @@
     };
   };
 
-  networking = {
-    useDHCP = false;
-    networkmanager.enable = true;
-  };
-
   time.timeZone = "Europe/Amsterdam";
 
   users = {
     defaultUserShell = pkgs.zsh;
 
-    groups.network = {};
-
     users = {
       tlater = {
         isNormalUser = true;
-        extraGroups = ["wheel" "video" "network"];
+        extraGroups = ["wheel" "video"];
       };
     };
   };

nixos-config/hosts/ren/default.nix

@@ -6,7 +6,7 @@
     ./hardware-configuration.nix
     ./nixos-hardware-precursor.nix
     ./disko.nix
-    ../../networks/personal.nix
+    ../../networking/personal.nix
     ../../wireguard.nix
   ];
 

nixos-config/hosts/rin/default.nix

@@ -5,7 +5,7 @@
 }: {
   imports = [
     flake-inputs.disko.nixosModules.disko
-    ../../networks/work.nix
+    ../../networking/work.nix
 
     ./hardware-configuration.nix
     ./disko.nix

nixos-config/hosts/yui/default.nix

@@ -15,7 +15,7 @@ in {
 
     ./games.nix
     ./hardware-configuration.nix
-    ../../networks/personal.nix
+    ../../networking/personal.nix
     ./wireguard.nix
     ../../wireguard.nix
     ./nvidia

nixos-config/networking/default.nix

@@ -0,0 +1,33 @@
+{
+  users.users.tlater.extraGroups = ["networking"];
+
+  networking = {
+    useDHCP = false;
+    networkmanager.enable = true;
+  };
+
+  services.unbound = {
+    enable = true;
+
+    settings = {
+      server = {
+        qname-minimisation = true;
+      };
+
+      forward-zone = [
+        {
+          # ProtonVPN DNS, if available
+          name = ".";
+          forward-addr = "10.2.0.1";
+        }
+        {
+          # Cloudflare backup
+          name = ".";
+          forward-addr = "1.1.1.1";
+        }
+      ];
+    };
+
+    localControlSocketPath = "/run/unbound/unbound.ctl";
+  };
+}