From 5722249dd2046398bd0657748016d09f46fb92ab Mon Sep 17 00:00:00 2001
From: Cilly Leang <mini@cilly.moe>
Date: Sun, 15 Mar 2026 23:34:58 +1100
Subject: [PATCH] services/unbound: open firewall for dns from containers

---
 modules/services/unbound.nix | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/modules/services/unbound.nix b/modules/services/unbound.nix
index e6ec4ad..349f9e8 100644
--- a/modules/services/unbound.nix
+++ b/modules/services/unbound.nix
@@ -7,6 +7,10 @@ let
     grep '^0\.0\.0\.0' "${inputs.stevenblack-hosts}/hosts" | awk '{print "local-zone: \""$2"\" always_refuse"}' | tail -n +2 >> "$out"
   '';
 in {
+  networking.firewall.interfaces."ve-+" = {
+    allowedUDPPorts = [ 53 853 ];
+    allowedTCPPorts = [ 53 853 ];
+  };
   networking.firewall.interfaces.wg0 = {
     allowedUDPPorts = [ 53 853 ];
     allowedTCPPorts = [ 53 853 ];