{ pkgs, lib, config, dns, ... }:
let
  cfg = config.lab.dns;
  publicIpv4 = "192.145.57.90";
  kunisZoneFile = pkgs.writeTextFile {
    name = "kunis-zone-file";
    text = (dns.lib.toString "kun.is" (import ./zones/kun.is.nix { inherit dns publicIpv4; }));
  };

  geokunis2nlZoneFile = pkgs.writeTextFile {
    name = "geokunis2nl-zone-file";
    text = (dns.lib.toString "geokunis2.nl" (import ./zones/geokunis2.nl.nix { inherit dns publicIpv4; }));
  };
in
{
  options.lab.dns.enable = lib.mkOption {
    default = false;
    type = lib.types.bool;
    description = ''
      Whether to enable an authoritative DNS server and DNSmasq for DMZ network.
    '';
  };

  config = lib.mkIf cfg.enable {
    networking.firewall = {
      allowedTCPPorts = [ 53 ];
      allowedUDPPorts = [ 53 67 ];
    };

    services = {
      bind = {
        enable = true;
        forwarders = [ ];
        # TODO: disable ipv6 for now, as the hosts themselves lack routes it seems.
        ipv4Only = true;

        extraOptions = ''
          allow-transfer { none; }; 
          allow-recursion { none; };
          version "No dice.";
        '';

        zones = {
          "kun.is" = {
            master = true;
            file = kunisZoneFile;
            allowQuery = [ "any" ];
            extraConfig = ''
              notify yes;
              allow-update { none; };
            '';
          };

          "geokunis2.nl" = {
            master = true;
            file = geokunis2nlZoneFile;
            allowQuery = [ "any" ];
            extraConfig = ''
              notify yes;
              allow-update { none; };
            '';
          };
        };
      };

      dnsmasq = {
        enable = true;

        settings = {
          no-resolv = true;
          server = [
            "192.168.30.1"
            "/geokunis2.nl/192.168.30.7"
            "/kun.is/192.168.30.7"
          ];
          local = "/dmz/";
          dhcp-fqdn = true;
          no-hosts = true;
          expand-hosts = true;
          domain = "dmz";
          dhcp-authoritative = true;
          dhcp-range = [
            "192.168.30.50,192.168.30.127,15m"
            "2a02:58:19a:f730::, ra-stateless, ra-names"
          ];
          dhcp-host = [
            "b8:27:eb:b9:ab:e2,esrom"
            "ca:fe:c0:ff:ee:03,max,192.168.30.3"
            "ca:fe:c0:ff:ee:08,maestro,192.168.30.8"
            "dc:a6:32:7b:e2:11,iris,192.168.30.9"
            "ca:fe:c0:ff:ee:0a,thecloud,192.168.30.10"
            "52:54:00:72:e0:9a,forum,192.168.30.11"
          ];
          dhcp-option = [
            "3,192.168.30.1"
            "option6:dns-server,[2a02:58:19a:f730::1]"
            "option:dns-server,192.168.30.1"
          ];
          ra-param = "*,0,0";
          alias = "192.145.57.90,192.168.30.8";
          log-dhcp = true;
          log-queries = true;
          interface-name = "hermes.dmz,ens3";
          port = "5353";
          address = [
            "/ns.pizzapim.nl/ns.geokunis2.nl/ns.pim.kunis.nl/192.168.30.7"
            "/ns.pizzapim.nl/ns.geokunis2.nl/ns.pim.kunis.nl/2a02:58:19a:f730:c8fe:c0ff:feff:ee07"
          ];
        };
      };
    };
  };
}