{
  kubernetes.resources = {
    configMaps = {
      bind9-env.data.TZ = "Europe/Amsterdam";

      bind9-config.data = {
        # TODO: this was copied from nix's generated bind config
        # Is there a way to generate this without actually running the nixos module?
        config = ''
          acl cachenetworks {  127.0.0.0/24;  };
          acl badnetworks {  };

          options {
            listen-on {  any;  };
            listen-on-v6 {  any;  };
            allow-query { cachenetworks; };
            blackhole { badnetworks; };
            forward first;
            forwarders {  };
            directory "/run/named";
            pid-file "/run/named/named.pid";
            allow-transfer { none; };
            allow-recursion { none; };
            version none;
            notify no;
          };

          zone "kun.is" {
            type master;
            file "/etc/bind/kun.is.zone";
            allow-transfer {  };
            allow-query { any; };
          };
        '';

        # TODO: replace with dns.nix
        kunis-zone = ''
          $TTL 86400

          kun.is. IN SOA ns1 webmaster.kun.is. (2024021702 86400 600 864000 60)

          kun.is. IN CAA 0 issue "letsencrypt.org"
          kun.is. IN CAA 0 issuewild ";"
          kun.is. IN CAA 0 iodef "mailto:caa@kun.is"

          kun.is. IN MX 10 mail.kun.is.

          kun.is. IN NS ns1.kun.is.
          kun.is. IN NS ns2.kun.is.

          kun.is. IN TXT "v=spf1 include:spf.glasnet.nl ~all"

          *.kun.is. IN A 192.145.57.90

          em670271.kun.is. IN CNAME return.smtp2go.net.

          link.kun.is. IN CNAME track.smtp2go.net.

          ns.kun.is. IN A 192.145.57.90

          ns.kun.is. IN AAAA 2a0d:6e00:1a77:30::7

          ns1.kun.is. IN A 192.145.57.90

          ns1.kun.is. IN AAAA 2a0d:6e00:1a77:30::7

          ns2.kun.is. IN A 192.145.57.90

          ns2.kun.is. IN AAAA 2a0d:6e00:1a77:30::7

          s670271._domainkey.kun.is. IN CNAME dkim.smtp2go.net.

          wg.kun.is. IN A 192.145.57.90

          wg.kun.is. IN AAAA 2a0d:6e00:1a77:30::1
        '';
      };
    };

    deployments.bind9 = {
      metadata.labels.app = "bind9";

      spec = {
        selector.matchLabels.app = "bind9";

        template = {
          metadata.labels.app = "bind9";

          spec = {
            containers.bind9 = {
              image = "ubuntu/bind9:9.18-22.04_beta";
              envFrom = [{ configMapRef.name = "bind9-env"; }];

              ports = [{
                containerPort = 53;
                protocol = "UDP";
              }];

              volumeMounts = [
                {
                  name = "config";
                  mountPath = "/etc/bind/named.conf";
                  subPath = "config";
                }
                {
                  name = "config";
                  mountPath = "/etc/bind/kun.is.zone";
                  subPath = "kunis-zone";
                }
              ];
            };

            volumes = [{
              name = "config";
              configMap.name = "bind9-config";
            }];
          };
        };
      };
    };

    services.bind9.spec = {
      type = "LoadBalancer";
      loadBalancerIP = "192.168.30.134";
      selector.app = "bind9";

      ports = [{
        port = 53;
        targetPort = 53;
        protocol = "UDP";
      }];
    };
  };
}