From b672103607860f342d24c53f6b8d74e38086243e Mon Sep 17 00:00:00 2001
From: Love Billenius <lovebillenius@disroot.org>
Date: Fri, 17 Apr 2026 18:47:57 +0200
Subject: [PATCH] dnssec

---
 modules/hosts/hermes/configuration.nix |  3 ++
 modules/nixos/base.nix                 | 16 +++++++++--
 modules/nixos/default.nix              |  1 +
 modules/nixos/dns-resolved.nix         | 39 ++++++++++++++++++++++++++
 modules/nixos/mail-server/default.nix  |  2 ++
 5 files changed, 58 insertions(+), 3 deletions(-)
 create mode 100644 modules/nixos/dns-resolved.nix

diff --git a/modules/hosts/hermes/configuration.nix b/modules/hosts/hermes/configuration.nix
index fe03073..c3bf54c 100644
--- a/modules/hosts/hermes/configuration.nix
+++ b/modules/hosts/hermes/configuration.nix
@@ -62,5 +62,8 @@ in
     algorithm = "zstd";
   };
 
+
+  my.dns.strictDNSSEC = true;
+
   system.stateVersion = "25.05";
 }
diff --git a/modules/nixos/base.nix b/modules/nixos/base.nix
index 5d4db60..3801421 100644
--- a/modules/nixos/base.nix
+++ b/modules/nixos/base.nix
@@ -6,7 +6,10 @@
   ...
 }:
 {
-  imports = [ nixosModules.packages.common ];
+  imports = [
+    nixosModules.packages.common
+    nixosModules.dnsResolved
+  ];
 
   nixpkgs.config.allowUnfree = true;
 
@@ -65,6 +68,7 @@
   systemd.network.wait-online.enable = false;
   services.resolved.enable = true;
   services.openssh.enable = true;
+  my.dns.enable = true;
 
   systemd.network.networks."10-wired" = {
     matchConfig.Name = [
@@ -75,8 +79,14 @@
       DHCP = "yes";
       IPv6AcceptRA = true;
     };
-    dhcpV4Config.RouteMetric = 100;
-    ipv6AcceptRAConfig.RouteMetric = 100;
+    dhcpV4Config = {
+      RouteMetric = 100;
+      UseDNS = false;
+    };
+    ipv6AcceptRAConfig = {
+      RouteMetric = 100;
+      UseDNS = false;
+    };
   };
 
   programs.zsh.enable = true;
diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix
index d886fd6..66d417e 100644
--- a/modules/nixos/default.nix
+++ b/modules/nixos/default.nix
@@ -7,4 +7,5 @@
   mailServer = import ./mail-server;
   packages = import ./packages;
   zfsRoot = import ./zfs-root.nix;
+  dnsResolved = import ./dns-resolved.nix;
 }
diff --git a/modules/nixos/dns-resolved.nix b/modules/nixos/dns-resolved.nix
new file mode 100644
index 0000000..6c645af
--- /dev/null
+++ b/modules/nixos/dns-resolved.nix
@@ -0,0 +1,39 @@
+{ config, lib, options, ... }:
+let
+  # Targets the custom options we created
+  cfg = config.my.dns; 
+  
+  # Feature detection
+  hasSettings = options.services.resolved ? settings;
+in
+{
+  options.my.dns = {
+    enable = lib.mkEnableOption "custom DNS setup with Cloudflare and LibreDNS";
+    
+    strictDNSSEC = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      description = "If true, enforces strict DNSSEC. If false, uses allow-downgrade.";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    networking.nameservers = [
+      "116.202.176.26#dot.libredns.gr"
+      "1.1.1.1#cloudflare-dns.com"
+      "1.0.0.1#cloudflare-dns.com"
+    ];
+
+    services.resolved = if hasSettings then {
+      enable = true;
+      settings.Resolve = {
+        DNSOverTLS = "yes";
+        DNSSEC = if cfg.strictDNSSEC then "yes" else "allow-downgrade";
+      };
+    } else {
+      enable = true;
+      dnsovertls = "true";
+      dnssec = if cfg.strictDNSSEC then "true" else "allow-downgrade";
+    };
+  };
+}
diff --git a/modules/nixos/mail-server/default.nix b/modules/nixos/mail-server/default.nix
index 9062519..4045345 100644
--- a/modules/nixos/mail-server/default.nix
+++ b/modules/nixos/mail-server/default.nix
@@ -9,6 +9,8 @@
     defaults.email = "postmaster@billenius.com";
   };
 
+  my.dns.strictDNSSEC = true;
+
   imports = [
     ./autodiscover.nix
     ./mail.nix