# To generate keys:
# dnssec-keygen -K /secret/keys/example.net example.net
{ config, lib, pkgs, ... }:
let
  masterZones = [ "orbekk.com" "orbekk.no" "kufieta.net" ];
  zone-files = pkgs.callPackage ../pkgs/zone-files/default.nix { };
in
{
  networking.firewall = {
    allowedTCPPorts = [ 53 ];
    allowedUDPPorts = [ 53 ];
  };

  services.bind = {
    enable = true;
    extraConfig = ''
      ${lib.concatMapStrings (zone: ''
        zone ${zone} {
          type master;
          file "/var/run/named/db.${zone}.zone";
          auto-dnssec maintain;
          key-directory "/opt/secret/bind/${zone}";
          update-policy local;
          allow-query { any; };
          allow-transfer {
            ::1;
            193.35.52.61;               // trygve transfer
            2a00:1b60:1011::6def:e868;  // ns1
            2001:67c:29f4::61;          // ns2
            2604:2000:12c1:c0c6::1000;  // sabaki
          };
          also-notify {
            193.35.52.61;               // trygve transfer
            2a00:1b60:1011::6def:e868;  // ns1
            2001:67c:29f4::61;          // ns2
          };
	  notify explicit;
        };
      '') masterZones}
    '';
  };

  systemd.services.bind = {
    preStart = lib.mkAfter ''
      rm /var/run/named/*.jnl || true
      cp -f ${zone-files}/* /var/run/named/
    '';
  };
}