{ config, lib, pkgs, ... }:

let
  cfg = config.services.ctrld;

  settingsFormat = pkgs.formats.toml { };
  settingsFile = settingsFile.generate "ctrld-proxy-settings" cfg.settings;
in
{
  options.services.ctrld = {
    enable = lib.mkEnableOption "ctrld, a DNS forwarding proxy";
    package = lib.mkPackageOption pkgs "ctrld" { };

    settings = lib.mkOption {
      type = settingsFormat.type;
      description = ''
        Settings to be used for the ctrld server.
      '';
      default = { };
      example = lib.literalExpression ''
        {
          service = {
            log_level = "info";
            log_path = "";
            cache_enable = true;
            cache_size = 4096;
            cache_ttl_override = 60;
            cache_serve_stale = true;
          };

          "upstream.0" = {
            bootstrap_ip = "76.76.2.11";
            endpoint = "https://freedns.controld.com/p1";
            name = "Control D - Anti-Malware";
            timeout = 5000;
            type = "doh";
            ip_stack = "both";
          };

          "network.0" = {
            cidrs = ["0.0.0.0/0"];
            name = "Everyone";
          };
        }
      '';
    };
  };

  config = lib.mkIf cfg.enable {
    systemd.services.ctrld = {
      description = "Forwarding DNS proxy";
      script = ''
        ${lib.getExe' cfg.package "ctrld"} run --config ${settingsFile}
      '';
      after = [ "network-online.target" ];
      wants = [ "network-online.target" ];
      wantedBy = [ "default.target" ];

      serviceConfig = {
        User = "ctrld";
        Group = "ctrld";
        DynamicUser = true;

        Restart = "on-failure";
        LockPersonality = true;
        NoNewPrivileges = true;

        CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
        AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];

        # TODO: ProtectProc=?
        PrivateDevices = true;
        PrivateMounts = true;
        PrivateTmp = true;
        PrivateUsers = true;
        ProtectClock = true;
        ProtectControlGroups = true;
        ProtectHome = true;
        ProtectHostname = true;
        ProtectKernelLogs = true;
        ProtectKernelModules = true;
        ProtectKernelTunables = true;
        ProtectSystem = "full";
        RestrictAddressFamilies = [
          "AF_LOCAL"
          "AF_INET"
          "AF_INET6"
        ];
        RestrictNamespaces = true;
        SystemCallArchitectures = [ "native" ];
        SystemCallFilter = [ "@system-service" ];
      };
    };
  };
}