{ config, ... }:
let
  cfg = import ./common.nix;
in
{
  services.dnsmasq = {
    enable = true;

    settings = {
      bogus-priv = true; # do not forward revese lookups of internal addresses
      domain-needed = true; # do not forward names without domain
      interface = "br-lan"; # only respond to queries from lan
      no-hosts = true; # do not resolve hosts from /etc/hosts
      no-resolv = true; # only use explicitly configured resolvers

      cache-size = 10000;

      inherit (cfg) domain;

      # Allow resolving the router
      interface-name = [
        "${config.networking.hostName}.${cfg.domain},br-lan"
        "${config.networking.hostName},br-lan"
      ];

      # DHCPv4
      dhcp-range = [
        "10.80.1.20,10.80.1.150,12h" # DHCPv4
        "fd00:80:1::,ra-stateless,ra-names" # SLAAC (for addresses) / DHCPv6 (for DNS)
      ];
      dhcp-option = [
        "option:router,10.80.1.1"
        "option6:dns-server,fd00:80:1::1"
      ];

      # Despite its name, the switch does not have a “smart” configuration,
      # that would allow me to tell it not to get DHCP from wan,
      # but from lan instead.
      # So it has to use static configuration.
      host-record = "switchviech,switchviech.${cfg.domain},10.80.1.19";
      server = [
        "127.0.0.1#5053"
      ];
    };
  };
  systemd.services.dnsmasq.after = [ "systemd-networkd.service" ];

  networking.firewall.allowedUDPPorts = [ 53 67 ];
  networking.firewall.allowedTCPPorts = [ 53 ];

  services.prometheus.exporters.dnsmasq = {
    enable = true;
    listenAddress = config.sbruder.wireguard.home.address;
    leasesPath = "/var/lib/dnsmasq/dnsmasq.leases";
  };

  services.https-dns-proxy = {
    enable = true;
    provider = {
      kind = "custom";
      ips = [ "9.9.9.9" "149.112.112.112" ];
      url = "https://dns.quad9.net/dns-query";
    };
  };
}