{ config, lib, pkgs, ... }:

{
  services.dnsmasq = {
    enable = true;

    extraConfig = ''
      bogus-priv # do not forward revese lookups of internal addresses
      domain-needed # do not forward names without domain
      local-service # only respond to queries from local network
      no-hosts # do not resolve hosts from /etc/hosts
      no-resolv # only use explicitly configured resolvers

      server=/fritz.box/192.168.100.1

      domain=home.sbruder.de

      dhcp-range=192.168.100.20,192.168.100.150,12h
      dhcp-option=option:router,192.168.100.1
    '';
    servers = [
      "127.0.0.1#5353"
      "::1#5353"
    ];
  };

  # Make `local-service` work (requires network interface with all addresses)
  systemd.services.dnsmasq = {
    after = [ "network-online.target" ];
    wants = [ "network-online.target" ];
  };

  services.prometheus.exporters.dnsmasq = {
    enable = true;
    listenAddress = "127.0.0.1";
    leasesPath = "/var/lib/dnsmasq/dnsmasq.leases";
  };

  systemd.services.https-dns-proxy = {
    after = [ "network.target" ];
    before = [ "nss-lookup.target" ];
    wantedBy = [ "multi-user.target" ];

    serviceConfig = {
      Type = "simple";
      ExecStart = "${pkgs.https-dns-proxy}/bin/https_dns_proxy -p 5353 -r https://dns.digitale-gesellschaft.ch/dns-query";
      Restart = "on-failure";
      TimeoutStopSec = "10";
      DynamicUser = true;
    };
  };

  networking.firewall.allowedUDPPorts = [ 53 67 ];
  networking.firewall.allowedTCPPorts = [ 53 ];
}