{ pkgs, lib, config, ... }:
let
  cfg = config.lab.dns;
  kunisZoneFile = pkgs.writeTextFile {
    name = "kunis-zone-file";
    text = ''
      $ORIGIN kun.is.
      $TTL 1m

      @ IN SOA ns1.kun.is. hostmaster.kun.is. (
        1704580936
        1D
        1H
        1W
        1D )

                                 IN  NS     ns1.kun.is.
                                 IN  NS     ns2.kun.is.

      @                          IN  MX     10  mail.kun.is. 


      ns                         IN  A      192.145.57.90
      ns1                        IN  A      192.145.57.90
      ns2                        IN  A      192.145.57.90
      *                          IN  A      192.145.57.90
      verify.bing.com.           IN  CNAME  fcfe5d31d5b7ae1af0b352a6b4c75d3f
      @                    IN  TXT    "\"google-site-verification=sznWJNdSZfiAESJhnDQEJ6hf06W9vndvhMi6wP_HH04\""
    '';
  };

  geokunisnlZoneFile = pkgs.writeTextFile {
    name = "geokunisnl-zone-file";
    text = ''
      $ORIGIN geokunis2.nl.
      $TTL 1h

      @ IN SOA ns.geokunis2.nl. hostmaster.geokunis2.nl. (
        1704580936
        1D
        1H
        1W
        1D )

                                 IN  NS     ns.geokunis2.nl.
                                 IN  NS     ns0.transip.net.
                                 IN  NS     ns1.transip.nl.
                                 IN  NS     ns2.transip.eu.

      @                          IN  MX     10  mail.geokunis2.nl. 


      @                          IN  A      192.145.57.90
      @                          IN  AAAA   2a0d:6e00:1a77:30:b62e:99ff:fe77:1bda
      mail                       IN  A      192.145.57.90
      wg                         IN  A      192.145.57.90
      wg                         IN  AAAA   2a0d:6e00:1a77::1
      wg4                        IN  A      192.145.57.90
      wg6                        IN  AAAA   2a0d:6e00:1a77::1
      tuindersweijde             IN  A      192.145.57.90
      ns                         IN  A      192.145.57.90
      ns                         IN  AAAA   2a0d:6e00:1a77:30:c8fe:c0ff:feff:ee07
      cyberchef                  IN  A      192.145.57.90
      cyberchef                  IN  AAAA   2a0d:6e00:1a77:30:c8fe:c0ff:feff:ee03
      inbucket                   IN  A      192.145.57.90
      kms                        IN  A      192.145.57.90
      @                    IN  CAA    0 issue \"letsencrypt.org\"
    '';
  };
in
{
  options.lab.dns.enable = lib.mkOption {
    default = false;
    type = lib.types.bool;
    description = ''
      Whether to enable an authoritative DNS server and DNSmasq for DMZ network.
    '';
  };

  config = lib.mkIf cfg.enable {
    networking.firewall = {
      allowedTCPPorts = [ 53 ];
      allowedUDPPorts = [ 53 ];
    };

    services.bind = {
      enable = true;
      forwarders = [ ];
      # TODO: disable ipv6 for now, as the hosts themselves lack routes it seems.
      ipv4Only = true;

      extraOptions = ''
        allow-transfer { none; }; 
        allow-recursion { none; };
        version "No dice.";
      '';

      zones = {
        "kun.is" = {
          master = true;
          file = kunisZoneFile;
          allowQuery = [ "any" ];
          extraConfig = ''
            notify yes;
            allow-update { none; };
          '';
        };

        "geokunis2.nl" = {
          master = true;
          file = geokunisnlZoneFile;
          allowQuery = [ "any" ];
          extraConfig = ''
            notify yes;
            allow-update { none; };
          '';
        };
      };
    };
  };
}