{ config, pkgs, lib, ...}:

{
  networking.firewall.interfaces.ens18.allowedUDPPorts = [ 53 ];
  networking.firewall.interfaces.ens18.allowedTCPPorts = [ 9253 9353];
  services.coredns = {
    enable = true;
    config = ''
      .:53 {
        errors
        log
        cache {
          success 1000000
          denial 50000
          prefetch 6 10m 10%
          serve_stale
        }
        prometheus 10.42.10.8:9253
        forward . tls://2620:fe::fe tls://9.9.9.9 tls://2620:fe::9 tls://149.112.112.112 {
          tls_servername dns.quad9.net
          health_check 5s
        }
      }
      
      bula22.de {
        errors
        log
        prometheus 10.42.10.8:9353
        file /etc/zones/db.bula22.de 
      }

      42.10.in-addr.arpa {
        file /etc/zones/db.42.10.in-addr.arpa.
      }
      2.4.0.0.0.1.0.0.0.0.d.f.ip6.arpa {
        file /etc/zones/db.2.4.0.0.0.1.0.0.0.0.d.f.ip6.arpa.
      }
      1.2.2.8.c.0.c.1.8.f.4.0.1.0.a.2.ip6.arpa {
        file /etc/zones/db.1.2.2.8.c.0.c.1.8.f.4.0.1.0.a.2.ip6.arpa.
      }
    '';
  };
  systemd.services.coredns.restartTriggers = [
    config.environment.etc."zones/db.bula22.de".source
    config.environment.etc."zones/db.42.10.in-addr.arpa.".source
    config.environment.etc."zones/db.2.4.0.0.0.1.0.0.0.0.d.f.ip6.arpa.".source
    config.environment.etc."zones/db.1.2.2.8.c.0.c.1.8.f.4.0.1.0.a.2.ip6.arpa.".source
  ];
  environment = {
    etc = {
      "zones/db.bula22.de".source = ./zones/db.bula22.de;
      "zones/db.42.10.in-addr.arpa.".source = ./zones/db.42.10.in-addr.arpa.;
      "zones/db.2.4.0.0.0.1.0.0.0.0.d.f.ip6.arpa.".source = ./zones/db.2.4.0.0.0.1.0.0.0.0.d.f.ip6.arpa.;
      "zones/db.1.2.2.8.c.0.c.1.8.f.4.0.1.0.a.2.ip6.arpa.".source = ./zones/db.1.2.2.8.c.0.c.1.8.f.4.0.1.0.a.2.ip6.arpa.;
    };
  };
}