{ config, depot, lib, pkgs, tools, ... }:

let
  inherit (depot.reflection) interfaces;
  inherit (tools.meta) domain;
  inherit (config.links) localRecursor;
  inherit (depot.packages) stevenblack-hosts;
  dot = config.security.acme.certs."securedns.${domain}";
in

{
  links.localRecursor = {};

  networking.firewall = {
    allowedTCPPorts = [ 853 ];
    allowedUDPPorts = [ 853 ];
  };

  systemd.services.coredns = {
    after = lib.optional (interfaces ? vstub) "network-addresses-vstub.service";
    serviceConfig.LoadCredential = [
      "dot-cert.pem:${dot.directory}/fullchain.pem"
      "dot-key.pem:${dot.directory}/key.pem"
    ];
  };

  security.acme.certs."securedns.${domain}" = {
    group = "nginx";
    webroot = "/var/lib/acme/acme-challenge";
    # using a different ACME provider because Android Private DNS is fucky
    server = "https://api.buypass.com/acme/directory";
    reloadServices = [
      "coredns.service"
    ];
  };

  services.coredns = {
    enable = true;
    config = ''
      . {
        ${lib.optionalString (interfaces ? vstub) "bind ${interfaces.vstub.addr}"}
        bind 127.0.0.1
        hosts ${stevenblack-hosts} {
          fallthrough
        }
        chaos "Private Void DNS" info@privatevoid.net
        forward . ${localRecursor.tuple}
      }
      tls://.:853 {
        bind ${interfaces.primary.addr}
        tls {$CREDENTIALS_DIRECTORY}/dot-cert.pem {$CREDENTIALS_DIRECTORY}/dot-key.pem
        hosts ${stevenblack-hosts} {
          fallthrough
        }
        chaos "Private Void DNS" info@privatevoid.net
        forward . ${localRecursor.tuple}
      }
    '';
  };

  services.pdns-recursor = {
    enable = true;
    dnssecValidation = "process";
    forwardZones = {
      # optimize queries against our own domain
      "${domain}" = interfaces.primary.addr;
    };
    dns = {
      inherit (localRecursor) port;
      address = localRecursor.ipv4;
      allowFrom = [ "127.0.0.1" ];
    };
  };
}