{ pkgs, lib, config, dns, ... }@inputs:
let
  cfg = config.lab.networking.dmzServices;
  kunisZoneFile = pkgs.writeTextFile {
    name = "kunis-zone-file";
    text = (dns.lib.toString "kun.is" (import ./zones/kun.is.nix inputs));
  };

  geokunis2nlZoneFile = pkgs.writeTextFile {
    name = "geokunis2nl-zone-file";
    text = (dns.lib.toString "geokunis2.nl" (import ./zones/geokunis2.nl.nix inputs));
  };
in
{
  options.lab.networking.dmzServices.enable = lib.mkOption {
    default = false;
    type = lib.types.bool;
    description = ''
      Whether to enable an authoritative DNS server and DNSmasq for DMZ network.
    '';
  };

  config = lib.mkIf cfg.enable {
    networking.firewall = {
      allowedTCPPorts = [ 53 ];
      allowedUDPPorts = [ 53 67 ];
    };

    services = {
      bind = {
        enable = true;
        forwarders = [ ];
        # TODO: disable ipv6 for now, as the hosts themselves lack routes it seems.
        ipv4Only = true;

        extraOptions = ''
          allow-transfer { none; }; 
          allow-recursion { none; };
          version "No dice.";
        '';

        zones = {
          "kun.is" = {
            master = true;
            file = kunisZoneFile;
            allowQuery = [ "any" ];
            extraConfig = ''
              notify yes;
              allow-update { none; };
            '';
          };

          "geokunis2.nl" = {
            master = true;
            file = geokunis2nlZoneFile;
            allowQuery = [ "any" ];
            extraConfig = ''
              notify yes;
              allow-update { none; };
            '';
          };
        };
      };

      dnsmasq = {
        enable = true;
        settings = import ./dnsmasq.nix inputs;
      };
    };
  };
}