From 2ffefb5f30d0ca5d1fccf7d72a04cca63d7a8ebd Mon Sep 17 00:00:00 2001
From: SebastianStork <sebastian.stork@pm.me>
Date: Sun, 12 Oct 2025 01:10:25 +0200
Subject: [PATCH] resolved: Init module

---
 modules/system/meta/ports.nix        | 13 -------------
 modules/system/services/resolved.nix | 26 ++++++++++++++++++++++++++
 2 files changed, 26 insertions(+), 13 deletions(-)
 create mode 100644 modules/system/services/resolved.nix

diff --git a/modules/system/meta/ports.nix b/modules/system/meta/ports.nix
index 68e3a0b..739161c 100644
--- a/modules/system/meta/ports.nix
+++ b/modules/system/meta/ports.nix
@@ -61,18 +61,5 @@ in
           message = mkErrorMessage duplicateUdpPorts;
         }
       ];
-
-    meta.ports =
-      let
-        resolvedPorts = lib.mkIf config.services.resolved.enable [
-          53
-          5353
-          5355
-        ];
-      in
-      {
-        tcp.list = resolvedPorts;
-        udp.list = resolvedPorts;
-      };
   };
 }
diff --git a/modules/system/services/resolved.nix b/modules/system/services/resolved.nix
new file mode 100644
index 0000000..37fdb73
--- /dev/null
+++ b/modules/system/services/resolved.nix
@@ -0,0 +1,26 @@
+{ config, lib, ... }:
+let
+  ports = [
+    53
+    5353
+    5355
+  ];
+in
+{
+  options.custom.services.resolved.enable = lib.mkEnableOption "" // {
+    default = config.systemd.network.enable;
+  };
+
+  config = lib.mkIf config.custom.services.resolved.enable {
+    meta.ports = {
+      tcp.list = ports;
+      udp.list = ports;
+    };
+
+    services.resolved = {
+      enable = true;
+      dnssec = "allow-downgrade";
+      dnsovertls = "opportunistic";
+    };
+  };
+}