{ config, lib, ... }: let inherit (lib) types mkOption; in { options.services.dns = { enable = mkOption { type = types.bool; default = false; description = "Enable the Technitium DNS Server"; }; package = mkOption { type = types.package; default = null; description = "Technitium DNS Server package to use. Defaults to pkgs.technitium-dns-server."; }; webPort = mkOption { type = types.port; default = 5380; description = "HTTP port for the Technitium web administration interface"; }; dnsPort = mkOption { type = types.port; default = 53; description = "DNS server port (both TCP and UDP)"; }; recursion = mkOption { type = types.enum [ "AllowOnlyForPrivateNetworks" "AllowAll" "DenyAll" ]; default = "AllowOnlyForPrivateNetworks"; description = "Recursion policy for DNS queries"; }; forwarders = mkOption { type = types.listOf types.str; default = [ ]; description = "Upstream DNS forwarders (e.g. [ \"1.1.1.1\" \"8.8.8.8\" ]). Empty means use root hints"; }; configDir = mkOption { type = types.str; default = "/etc/dns"; description = "Directory for persistent Technitium DNS configuration and zone data"; }; adminPasswordFile = mkOption { type = types.nullOr types.str; default = null; description = '' Path to a file containing the admin password for the web interface. If not set, the default credentials (admin/admin) are used. Use agenix or sops-nix to provide this file securely. ''; }; listenAddresses = mkOption { type = types.listOf types.str; default = [ ]; description = "IP addresses to listen on. Empty means listen on all interfaces"; }; allowZoneTransfer = mkOption { type = types.listOf types.str; default = [ ]; description = "IP addresses or subnets allowed to request zone transfers (AXFR/IXFR)"; }; extraConfig = mkOption { type = types.attrsOf types.anything; default = { }; description = "Additional Technitium DNS configuration options as an attribute set"; }; }; }