1 files changed, 32 insertions, 22 deletions

diff --git a/modules/nixos/unbound.nix b/modules/nixos/unbound.nix
index 2fab1e0..c7338e5 100644
--- a/modules/nixos/unbound.nix
+++ b/modules/nixos/unbound.nix
@@ -30,12 +30,20 @@ in {
         promtail.filters = [
           {
             match = {
-              # Should be fixed[1] in the next release.
-              #
-              # [1]: https://github.com/NLnetLabs/unbound/commit/d7e776114114c16816570e48ab3a27eedc401a0e
-              selector = ''{syslog_identifier="unbound"} |~ ".*could not SSL_read crypto.*"'';
+              selector = ''{syslog_identifier="unbound"} |~ " start | stopped |.*in-addr.arpa."'';
               action = "drop";
-              drop_counter_reason = "noise";
+            };
+          }
+          {
+            match = {
+              selector = ''{syslog_identifier="unbound"} |= "reply:"'';
+              stages = [{static_labels.dns = "reply";}];
+            };
+          }
+          {
+            match = {
+              selector = ''{syslog_identifier="unbound"} |~ "redirect |always_null|always_nxdomain"'';
+              stages = [{static_labels.dns = "block";}];
             };
           }
         ];
@@ -125,6 +133,12 @@ in {
 
               extended-statistics = true;
 
+              log-replies = true;
+              log-tag-queryreply = true;
+              log-local-actions = true;
+
+              verbosity = 0;
+
               include = ''"${adblock-conf}"'';
             };
 
@@ -169,23 +183,19 @@ in {
               Type = "oneshot";
               User = user;
               Group = group;
-              ExecStart = let
-                pkg = with pkgs;
-                  writeShellApplication {
-                    name = "unbound-adblock-update";
-                    runtimeInputs = [curl package];
-                    text = ''
-                      curl -s \
-                        "https://pgl.yoyo.org/adservers/serverlist.php?hostformat=unbound&showintro=0&mimetype=plaintext" \
-                        >${adblock-conf}
-
-                      if [[ -f "${localControlSocketPath}" ]]; then
-                        unbound-control reload
-                      fi
-                    '';
-                  };
-              in
-                getExe pkg;
+              ExecStart = getExe (pkgs.writeShellApplication {
+                name = "unbound-adblock-update";
+                runtimeInputs = [pkgs.curl package];
+                text = ''
+                  curl -s \
+                    "https://pgl.yoyo.org/adservers/serverlist.php?hostformat=unbound&showintro=0&mimetype=plaintext" \
+                    >${adblock-conf}
+
+                  if [[ -f "${localControlSocketPath}" ]]; then
+                    unbound-control reload
+                  fi
+                '';
+              });
             };
           };
         };