{ config, lib, options, ... }:
let
  # Targets the custom options we created
  cfg = config.my.dns; 
  
  # Feature detection
  hasSettings = options.services.resolved ? settings;
in
{
  options.my.dns = {
    enable = lib.mkEnableOption "custom DNS setup with Cloudflare and LibreDNS";
    
    strictDNSSEC = lib.mkOption {
      type = lib.types.bool;
      default = false;
      description = "If true, enforces strict DNSSEC. If false, uses allow-downgrade.";
    };
  };

  config = lib.mkIf cfg.enable {
    networking.nameservers = [
      "116.202.176.26#dot.libredns.gr"
      "1.1.1.1#cloudflare-dns.com"
      "1.0.0.1#cloudflare-dns.com"
    ];

    services.resolved = if hasSettings then {
      enable = true;
      settings.Resolve = {
        DNSOverTLS = "yes";
        DNSSEC = if cfg.strictDNSSEC then "yes" else "allow-downgrade";
      };
    } else {
      enable = true;
      dnsovertls = "true";
      dnssec = if cfg.strictDNSSEC then "true" else "allow-downgrade";
    };
  };
}