{ config, lib, ... }:

# Setup:
# PDNS recursor on port 53
# DNSCrypt wrapper on port 5353
# NCDNS for Namecoin bit. zone resolution
# sslh handling both HTTP and DSN on 443

{
  # Recursive DNS resolver
  services.pdns-recursor =
    { enable = true;
      # Configures the bit. zone
      resolveNamecoin = true;
      # Use both IPv4 and IPv6
      dns.allowFrom = [ "0.0.0.0/0" "::0/0" ];
      settings.local-address = [ "0.0.0.0" "::" ];
    };

  # Wrap the local recursive resolver in DNSCrypt
  services.dnscrypt-wrapper =
    { enable  = true;
      address = "[::]";
      providerKey.public = config.secrets.dnscrypt.pub;
      providerKey.secret = config.secrets.dnscrypt.sec;
    };

  # Demultiplex HTTP and DNS from port 443
  services.sslh =
    { enable = true;
      method = "ev";
      settings.transparent = true;
      settings.listen = with config.var; lib.mkForce
        [ { host = hostname; port = "443"; is_udp = false; }
          { host = hostname; port = "443"; is_udp = true; }
        ];
      settings.protocols =
        [ # Send TLS to nginx (TCP)
          { name = "tls"; host = "localhost"; port= "443"; }
          # Send DNSCrypt to dnscrypt-wrapper (TCP or UDP)
          { name = "anyprot"; host = "localhost"; port = "5353"; }
          { name = "anyprot"; host = "localhost"; port = "5353";
           is_udp = true; udp_timeout = 100; }
        ];
    };

  # This is needed for the rotation of DNSCrypt keys
  security.polkit.enable = true;

  # Namecoin resolver
  services.ncdns =
    { enable = true;
      # This is currently broken, see ncdns issue:
      # https://github.com/namecoin/ncdns/issues/127
      dnssec.enable = false;
    };

  # Namecoin daemon with RPC server
  services.namecoind =
    { enable = true;
      # This are used by the resolver (ncdns)
      # to query the blockchain.
      rpc.user     = config.secrets.namecoin.user;
      rpc.password = config.secrets.namecoin.password;
    };

  users.users.namecoin.group = "namecoin";

}