dnssec

modules/nixos/dns-resolved.nix

@@ -0,0 +1,39 @@
+{ config, lib, options, ... }:
+let
+  # Targets the custom options we created
+  cfg = config.my.dns; 
+  
+  # Feature detection
+  hasSettings = options.services.resolved ? settings;
+in
+{
+  options.my.dns = {
+    enable = lib.mkEnableOption "custom DNS setup with Cloudflare and LibreDNS";
+    
+    strictDNSSEC = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      description = "If true, enforces strict DNSSEC. If false, uses allow-downgrade.";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    networking.nameservers = [
+      "116.202.176.26#dot.libredns.gr"
+      "1.1.1.1#cloudflare-dns.com"
+      "1.0.0.1#cloudflare-dns.com"
+    ];
+
+    services.resolved = if hasSettings then {
+      enable = true;
+      settings.Resolve = {
+        DNSOverTLS = "yes";
+        DNSSEC = if cfg.strictDNSSEC then "yes" else "allow-downgrade";
+      };
+    } else {
+      enable = true;
+      dnsovertls = "true";
+      dnssec = if cfg.strictDNSSEC then "true" else "allow-downgrade";
+    };
+  };
+}