{
  liminix
, dnsmasq
, serviceFns
, lib
}:
{
  interface
, user
, domain
, group
, ranges
, hosts
, upstreams
, resolvconf
}:
let
  name = "${interface.name}.dnsmasq";
  inherit (liminix.services) longrun;
  inherit (lib) concatStrings concatStringsSep mapAttrsToList;
  hostOpt = name : { mac, v4, v6, leasetime } @ attrs:
    let v6s = concatStrings (map (a : ",[${a}]") v6);
    in "--dhcp-host=${mac},${v4}${v6s},${name},${builtins.toString leasetime}";
in
longrun {
  inherit name;
  dependencies = [ interface ];
  run = ''
    . ${serviceFns}
    ${dnsmasq}/bin/dnsmasq \
    --user=${user} \
    --domain=${domain} \
    --group=${group} \
    --interface=$(output ${interface} ifname) \
    ${lib.concatStringsSep " " (builtins.map (r: "--dhcp-range=${r}") ranges)} \
    ${lib.concatStringsSep " " (builtins.map (r: "--server=${r}") upstreams)} \
    --keep-in-foreground \
    --dhcp-authoritative \
    ${if resolvconf != null then "--resolv-file=$(output_path ${resolvconf} resolv.conf)" else "--no-resolv"} \
    ${lib.concatStringsSep " " (mapAttrsToList hostOpt hosts)} \
    --no-hosts \
    --log-dhcp \
    --enable-ra \
    --log-facility=- \
    --dhcp-leasefile=$(mkstate ${name})/leases \
    --pid-file=/run/${name}.pid
  '';
    # --log-debug \
    # --log-queries \

}