# TODO: we should split this into DHCP and DNS
# This decoupling makes it easier to put one service on another host.
{ pkgs, lib, config, dns, ... }@inputs:
let
  cfg = config.lab.networking.dmz.services;

  kunisZoneFile = pkgs.writeTextFile {
    name = "kunis-zone-file";
    text = (dns.lib.toString "kun.is" (import ./zones/kun.is.nix inputs));
  };
in
{
  options.lab.networking.dmz.services.enable = lib.mkOption {
    default = false;
    type = lib.types.bool;
    description = ''
      Whether to enable an authoritative DNS server and DNSmasq for DMZ network.
    '';
  };

  config = lib.mkIf cfg.enable {
    # TODO Remove this; make this explicit in the machine config.
    lab.networking.dmz.allowConnectivity = true;

    # TODO: listen only on dmz interface, make this portable between physical and VM.
    networking.firewall = {
      allowedTCPPorts = [ 53 5353 ];
      allowedUDPPorts = [ 53 67 5353 ];
    };

    services = {
      bind = {
        enable = true;
        forwarders = [ ];

        extraOptions = ''
          allow-transfer { none; };
          allow-recursion { none; };
          version none;
          notify no;
        '';

        zones = {
          "kun.is" = {
            master = true;
            file = kunisZoneFile;
            allowQuery = [ "any" ];
          };
        };
      };

      dnsmasq = {
        enable = true;
        settings = import ./dnsmasq.nix inputs;
      };
    };
  };
}