# dnssec-signzone -A -3 $(head -c 1000 /dev/urandom | sha1sum | cut -b 1-16) -N unixtime -o $zone -t db.${zone}
{ config, lib, pkgs, ... }:
let
  zones = pkgs.callPackage ../pkgs/zone-files/default.nix { };
in
{
  services.bind = {
    enable = true;
    extraConfig = ''
      zone orbekk.com {
        type master;
	file "/var/run/named/db.orbekk.com.zone";
	auto-dnssec maintain;
	key-directory "/opt/secret/bind/orbekk.com";
	update-policy local;
	allow-query { any; };
      };
    '';
  };

  systemd.services.bind = {
    preStart = lib.mkAfter ''
	cp -f ${zones}/* /var/run/named/
    '';
  };
}