{ self, lib, ... }:
let
  dnsLib = import ../../lib/dns-zone.nix { inherit lib; };
  externalHosts = import ./external-hosts.nix;

  # Generate zone from flake hosts + external hosts
  # Use lastModified from git commit as serial number
  zoneData = dnsLib.generateZone {
    inherit self externalHosts;
    serial = self.sourceInfo.lastModified;
    domain = "home.2rjus.net";
  };
in
{
  vault.secrets.ns-xfer-key = {
    secretPath = "shared/dns/xfer-key";
    extractKey = "key";
    outputDir = "/etc/nsd/xfer.key";
    services = [ "nsd" ];
  };

  networking.firewall.allowedTCPPorts = [ 8053 ];
  networking.firewall.allowedUDPPorts = [ 8053 ];

  services.nsd = {
    enable = true;
    port = 8053;
    ipv6 = false;
    verbosity = 2;
    identity = "home.2rjus.net server";
    interfaces = [ "0.0.0.0" ];

    keys = {
      "xferkey" = {
        algorithm = "hmac-sha256";
        keyFile = "/etc/nsd/xfer.key";
      };
    };

    zones = {
      "home.2rjus.net" = {
        provideXFR = [ "10.69.13.6 xferkey" ];
        notify = [ "10.69.13.6@8053 xferkey" ];
        data = zoneData;
      };
    };
  };
}