feat: kea unbound sync remove old leases

hosts/fw/modules/unbound.nix

@@ -261,6 +261,10 @@ in {
     enable = true;
     path = with pkgs; [ unbound inotify-tools ];
     script = ''
+      #!/usr/bin/env bash
+      set -euo pipefail
+
+      # readFile and readFileUnique as before…
       function readFile() {
         if [[ "''\$2" == "A" ]] ; then
           cat "''\$1" | tail -n +2 | while IFS=, read -r address hwaddr client_id valid_lifetime expire subnet_id fqdn_fwd fqdn_rev hostname state user_context
@@ -273,8 +277,8 @@ in {
             echo "''\${address},''\${hostname}"
           done
         fi    
-      }     
+      }
-          
+
       function readFileUnique() {
         readFile "''\$1" ''\$2 | uniq | while IFS=, read -r address hostname
         do  
@@ -313,19 +317,27 @@ in {
             fi
           fi
         done
-      } 
-      
-      function syncFile() {
-        # readFileUnique "''\$1" "''\$2"
-        while true; do
-          readFileUnique "''\$1" "''\$2"
-          sleep 10
-        done 
       }
 
-      syncFile "/var/lib/kea/dhcp4.leases" A &
+      function syncLeases() {
-      # syncFile "/var/lib/kea/dhcp6.leases" AAAA &
+        # 1) nuke all of our old lease records from unbound
-      wait
+        unbound-control list_local_data \
+          | grep -E 'cloonar\.(com|multimedia|smart)|ip4\.arpa|in-addr\.arpa' \
+          | while read -r name type data; do
+              unbound-control local_data_remove "$name" "$type" "$data" \
+                > /dev/null 2>&1
+            done
+
+        # 2) re-push every current lease
+        readFileUnique "/var/lib/kea/dhcp4.leases" A
+        # if you need IPv6:
+        # readFileUnique "/var/lib/kea/dhcp6.leases" AAAA
+      }
+
+      while true; do
+        syncLeases
+        sleep 10
+      done
     '';
     wants = [ "network-online.target" "unbound.service" ];
     after = [ "network-online.target" "unbound.service" ];