{ ... }:

{
  services.dnsmasq = {
    enable = true;
    settings = {
      # DNS forwarding
      domain-needed = true;
      bogus-priv = true;
      no-resolv = true;
      server = [ "1.1.1.1" "8.8.8.8" ];

      # Local domain
      local = "/cyper.local/";
      domain = "cyper.local";
      expand-hosts = true;

      # Static host entries
      address = [
        "/cyper-controller.cyper.local/192.168.2.2"
        "/cyper-node1.cyper.local/192.168.2.30"
        "/cyper-node2.cyper.local/192.168.2.31"
      ];

      # DHCP for dynamic hosts (cyper-cluster, cyper-cloud)
      dhcp-range = "192.168.2.100,192.168.2.200,24h";
      dhcp-option = [
        "3,192.168.2.1"  # default gateway
        "6,192.168.2.2"  # DNS server
      ];
    };
  };

  networking.firewall.allowedTCPPorts = [ 53 ];
  networking.firewall.allowedUDPPorts = [ 53 67 68 ];
}