{ pkgs, lib, config, dns, ... }:
let
  cfg = config.lab.dns;
  publicIpv4 = "192.145.57.90";
  kunisZoneFile = pkgs.writeTextFile {
    name = "kunis-zone-file";
    text = (dns.lib.toString "kun.is" (import ./zones/kun.is.nix { inherit dns publicIpv4; }));
  };

  geokunis2nlZoneFile = pkgs.writeTextFile {
    name = "geokunis2nl-zone-file";
    text = (dns.lib.toString "geokunis2.nl" (import ./zones/geokunis2.nl.nix { inherit dns publicIpv4; }));
  };
in
{
  options.lab.dns.enable = lib.mkOption {
    default = false;
    type = lib.types.bool;
    description = ''
      Whether to enable an authoritative DNS server and DNSmasq for DMZ network.
    '';
  };

  config = lib.mkIf cfg.enable {
    networking.firewall = {
      allowedTCPPorts = [ 53 ];
      allowedUDPPorts = [ 53 ];
    };

    services.bind = {
      enable = true;
      forwarders = [ ];
      # TODO: disable ipv6 for now, as the hosts themselves lack routes it seems.
      ipv4Only = true;

      extraOptions = ''
        allow-transfer { none; }; 
        allow-recursion { none; };
        version "No dice.";
      '';

      zones = {
        "kun.is" = {
          master = true;
          file = kunisZoneFile;
          allowQuery = [ "any" ];
          extraConfig = ''
            notify yes;
            allow-update { none; };
          '';
        };

        "geokunis2.nl" = {
          master = true;
          file = geokunis2nlZoneFile;
          allowQuery = [ "any" ];
          extraConfig = ''
            notify yes;
            allow-update { none; };
          '';
        };
      };
    };
  };
}