feat: kea unbound sync remove old leases

hosts/fw/modules/unbound.nix

@@ -261,6 +261,10 @@ in {
     enable = true;
     path = with pkgs; [ unbound inotify-tools ];
     script = ''
+      #!/usr/bin/env bash
+      set -euo pipefail
+
+      # readFile and readFileUnique as before…
       function readFile() {
         if [[ "''\$2" == "A" ]] ; then
           cat "''\$1" | tail -n +2 | while IFS=, read -r address hwaddr client_id valid_lifetime expire subnet_id fqdn_fwd fqdn_rev hostname state user_context
@@ -315,17 +319,25 @@ in {
         done
       }
 
-      function syncFile() {
+      function syncLeases() {
-        # readFileUnique "''\$1" "''\$2"
+        # 1) nuke all of our old lease records from unbound
-        while true; do
+        unbound-control list_local_data \
-          readFileUnique "''\$1" "''\$2"
+          | grep -E 'cloonar\.(com|multimedia|smart)|ip4\.arpa|in-addr\.arpa' \
-          sleep 10
+          | while read -r name type data; do
+              unbound-control local_data_remove "$name" "$type" "$data" \
+                > /dev/null 2>&1
             done
+
+        # 2) re-push every current lease
+        readFileUnique "/var/lib/kea/dhcp4.leases" A
+        # if you need IPv6:
+        # readFileUnique "/var/lib/kea/dhcp6.leases" AAAA
       }
 
-      syncFile "/var/lib/kea/dhcp4.leases" A &
+      while true; do
-      # syncFile "/var/lib/kea/dhcp6.leases" AAAA &
+        syncLeases
-      wait
+        sleep 10
+      done
     '';
     wants = [ "network-online.target" "unbound.service" ];
     after = [ "network-online.target" "unbound.service" ];