{ nodes, config, lib, pkgs, ...}:

let
  cfg = config.ctucxConfig.services.dnsServer;

in {

  options = {
    ctucxConfig.services.dnsServer = {
      enable = lib.mkEnableOption "dns";
    };
  };

  config = lib.mkIf cfg.enable {
    dns = {
      enable      = true;
      allZones    = with pkgs.dns.lib.combinators; let
        CAA = [ { issuerCritical = false; tag = "issue"; value = "letsencrypt.org"; } ];
        NS  = [ "ns1.ctu.cx." "ns2.ctu.cx." ];
        SOA = {
          nameServer = "ns1.ctu.cx.";
          adminEmail = "dns@ctu.cx"; # Email address with a real `@`!
          serial     = lib.toInt ("2023" + "03" + "04" + "1");
        };

      in {

        "ctu.cx" = {
          inherit SOA NS CAA;

          subdomains = {
            ns1          = (host nodes.trabbi.config.networking.primaryIP4      nodes.trabbi.config.networking.primaryIP);
            ns2          = (host nodes.wanderduene.config.networking.primaryIP4 nodes.wanderduene.config.networking.primaryIP);

            _atproto.TXT              = [ "did=did:plc:zaeuok3fmh2pcp4cjiicku4i" ];

            blechkasten.CNAME         = [  "blechkasten.home" ];
            briefkasten.CNAME         = [  "briefkasten.home" ];

            "48-247-39-195.wireguard".A = [ (a "195.39.247.48") ];
            "49-247-39-195.wireguard".A = [ (a "195.39.247.49") ];
            "50-247-39-195.wireguard".A = [ (a "195.39.247.50") ];
            "51-247-39-195.wireguard".A = [ (a "195.39.247.51") ];
            "52-247-39-195.wireguard".A = [ (a "195.39.247.52") ];
            "53-247-39-195.wireguard".A = [ (a "195.39.247.53") ];
            "54-247-39-195.wireguard".A = [ (a "195.39.247.54") ];
            "55-247-39-195.wireguard".A = [ (a "195.39.247.55") ];

            "32-246-39-195.dynamic".A   = [ (a "195.39.246.32") ];
            "33-246-39-195.dynamic".A   = [ (a "195.39.246.33") ];
            "34-246-39-195.dynamic".A   = [ (a "195.39.246.34") ];
            "35-246-39-195.dynamic".A   = [ (a "195.39.246.35") ];
            "36-246-39-195.dynamic".A   = [ (a "195.39.246.36") ];
            "37-246-39-195.dynamic".A   = [ (a "195.39.246.37") ];
            "38-246-39-195.dynamic".A   = [ (a "195.39.246.38") ];
            "39-246-39-195.dynamic".A   = [ (a "195.39.246.39") ];
            "40-246-39-195.dynamic".A   = [ (a "195.39.246.40") ];
            "41-246-39-195.dynamic".A   = [ (a "195.39.246.41") ];
            "42-246-39-195.dynamic".A   = [ (a "195.39.246.42") ];
            "43-246-39-195.dynamic".A   = [ (a "195.39.246.43") ];
            "44-246-39-195.dynamic".A   = [ (a "195.39.246.44") ];
            "45-246-39-195.dynamic".A   = [ (a "195.39.246.45") ];
            "46-246-39-195.dynamic".A   = [ (a "195.39.246.46") ];
            "47-246-39-195.dynamic".A   = [ (a "195.39.246.47") ];
          };
        };

        "wifionic.de" = {
          inherit SOA NS CAA;
        };

        "trans-agenda.de" = {
          inherit SOA NS CAA;
        };

        "ctucx.de" = {
          inherit SOA NS CAA;
        };

        "thein.ovh" = {
          inherit SOA NS CAA;
        };

        "flauschehorn.sexy" = {
          inherit SOA NS CAA;

          MX  = with mx; [ (mx 10 "rx300.kunbox.net.") ];
          TXT = [ "v=spf1 mx ~all" ];

          subdomains = {
            _dmarc.TXT            = [ "v=DMARC1; p=quarantine; rua=mailto:hostmaster@kunbox.net; ruf=mailto:postmaster@kunsmann.eu; fo=0:d:s; adkim=r; aspf=r" ];
            "mail._domainkey".TXT = [ "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnh5Ym9PO7r+wdOIKfopvHzn3KU3qT6IlCG/gvvbmIqoeFQfRbAe3gQmcG6RcLue55cJQGhI6y2r0lm59ZeoHR40aM+VabAOlplekM7xWmoXb/9vG2OZLIqAyF4I+7GQmTN6B9keBHp9SWtDUkI0B0G9neZ5MkXJP705M0duxritqQlb4YvCZwteHiyckKcg9aE9j+GF2EEawBoVDpoveoB3+wgde3lWEUjjwKFtXNXxuN354o6jgXgPNWtIEdPMLfK/o0CaCjZNlzaLTsTegY/+67hdHFqDmm8zXO9s+Xiyfq7CVq21t7wDhQ2W1agj+up6lH82FMh5rZNxJ6XB0yQIDAQAB" ];
          };
        };

      };
    };
  };

}