{ extraInfo, ... }:
let
  localIps = extraInfo.hostsLocalIps;
in
{
  # Resolvconf
  networking.nameservers = [
    "127.0.0.1"
    "::1"
  ];

  # DNS resolver configuration
  services.adguardhome.enable = true;

  networking.firewall = {
    allowedUDPPorts = [ 53 ];
    allowedTCPPorts = [
      80
      443
    ];
  };

  services.unbound = {
    enable = true;
    settings = {
      server = {
        interface = [ "127.0.0.1" ];
        port = "5354";
        access-control = [ "127.0.0.0/8 allow" ];

        root-hints = "/var/lib/unbound/root.hints";

        do-ip4 = true;
        do-tcp = true;
        do-udp = true;

        do-ip6 = false;
        prefer-ip6 = false;

        harden-glue = true;
        harden-dnssec-stripped = true;
        use-caps-for-id = false;

        edns-buffer-size = 1232;
        prefetch = true;

        so-rcvbuf = "1m";
        private-address = [
          "192.168.0.0/16"
          "10.0.0.0/24"
        ];

        # Do not check DNSSEC for ntp.org, as RockPro64 has no BIOS battery
        domain-insecure = [ "ntp.org" ];

      };

      remote-control = {
        control-enable = true;
      };

      local-data = [
        "\"london A ${localIps.london}\""
        "\"camelot A ${localIps.camelot}\""
        "\"okeanos A ${localIps.okeanos}\""
        "\"fuyuki A ${localIps.fuyuki}\""
      ];

    };
  };
}