{ config, lib, ... }:

# Setup:
# pdns-recursor on localhost:54
# dnsdist on port 53 (DNS)
# ncdns for Namecoin bit. zone resolution

{
  # Recursive DNS resolver
  services.pdns-recursor =
    { enable = true;
      # Configures the bit. zone
      resolveNamecoin = true;
      dns.port = 54;
    };

  # Public DNS resolver
  services.dnsdist =
    { enable = true;
      extraConfig = ''
        -- Listen on IPv6 and IPv4
        setLocal("[::]:53"); addLocal("0.0.0.0:53")

        -- Allow everything
        setACL({"0.0.0.0/0", "::/0"})

        -- Set upstream resolver
        newServer({address="[::1]:54", name="pdns"})
      '';
    };

  # Namecoin resolver
  services.ncdns =
    { enable = true;
      # This is currently broken, see ncdns issue:
      # https://github.com/namecoin/ncdns/issues/127
      dnssec.enable = false;
    };

  # Namecoin daemon with RPC server
  services.namecoind =
    { enable = true;
      # This are used by the resolver (ncdns)
      # to query the blockchain.
      rpc.user     = config.secrets.namecoin.user;
      rpc.password = config.secrets.namecoin.password;
    };

  users.users.namecoin.group = "namecoin";

}