{ config, ... }:

# Setup:
# PDNS recursor on port 53
# DNSCrypt wrapper on port 1194
# NCDNS for Namecoin bit. zone resolution

{
  # Recursive DNS resolver
  services.pdns-recursor = {
    enable = true;
    # Configures the bit. zone
    resolveNamecoin = true;
    dns.allowFrom = [ "0.0.0.0/0" ];
  };

  # Wrap the local recursive resolver
  # in DNSCrypt on the default OpenVPN port.
  # This port is chosen because it's usually
  # not blocked in corporate networks.
  services.dnscrypt-wrapper = {
    enable  = true;
    address = "0.0.0.0";
    port    = 1194;
  };

  # Namecoin resolver
  services.ncdns = {
    enable = true;
    # This is currently broken, see ncdns issue:
    # https://github.com/namecoin/ncdns/issues/127
    dnssec.enable = false;
  };

  # Namecoin daemon with RPC server
  services.namecoind = {
    enable = true;
    # This are used by the resolver (ncdns)
    # to query the blockchain.
    rpc.user     = config.secrets.namecoin.user;
    rpc.password = config.secrets.namecoin.password;
  };

}