{ lib, config, ... }:

let
  dnscryptListenAddress = "127.0.0.1";
  dnscryptListenPort = 9053;
in
{
  config = lib.mkIf config.jalr.workstation.enable {
    services.dnscrypt-proxy2 = {
      enable = true;
      settings = {
        ipv6_servers = true;
        require_dnssec = true;
        require_nolog = true;
        require_nofilter = true;
        dnscrypt_ephemeral_keys = true;
        tls_disable_session_tickets = true;
        listen_addresses = [ "${dnscryptListenAddress}:${toString dnscryptListenPort}" ];
        anonymized_dns.skip_incompatible = true;
      };
    };
    services.dnsmasq = {
      enable = true;
      resolveLocalQueries = true;
      settings = {
        server = [
          "/iceportal.de/172.18.0.1"
          "/lab.fablab-nea.de/192.168.94.1"
          "/iot.bw.jalr.de/192.168.42.1"
          "/lan.bw.jalr.de/192.168.42.1"
          "/lechner.zz/192.168.0.1"
          "/login.wifionice.de/172.18.0.1"
          "${dnscryptListenAddress}#${toString dnscryptListenPort}"
        ];
        address = [
          "/localhost/127.0.0.1"
        ];
        no-resolv = true;
        interface = "lo";
        listen-address = [
          "::1"
          "127.0.0.1"
        ];
        bind-interfaces = true;
        dns-loop-detect = true;
        neg-ttl = 5;
      };
    };
  };
}