{
  lib,
  config,
  pkgs,
  ...
}:
let
  cfg = config.my.networking.technitium-dns-server;
  defaultPorts = config.services.technitium-dns-server.firewallTCPPorts.default;
in
{
  options.my.networking.technitium-dns-server = {
    enable = lib.mkEnableOption "Enable Technitium DNS Server";
    dnsOverHttps = lib.mkEnableOption "Enable DNS over HTTPS";
    adminPasswordFile = lib.mkOption {
      type = lib.types.path;
      default = "";
      description = ''
        Path to the file containing the admin password.
      '';
    };
  };

  config = lib.mkIf cfg.enable {

    # Disable internal DNS otherwise TCP .:53 is already in use. Breaks zone sync
    services.resolved.enable = false;

    services.technitium-dns-server = {
      enable = true;
      openFirewall = true;
      firewallTCPPorts = [
        53
        5380
        53443
      ]
      ++ lib.optional cfg.dnsOverHttps 443;
      firewallUDPPorts = [
        53
        67
      ];
    };

    systemd.services.technitium-dns-server.environment.DNS_SERVER_ADMIN_PASSWORD_FILE =
      cfg.adminPasswordFile;

  };

}