{ ... }:
{
  sops.secrets.ns_xfer_key = {
    path = "/etc/nsd/xfer.key";
  };

  networking.firewall.allowedTCPPorts = [ 8053 ];
  networking.firewall.allowedUDPPorts = [ 8053 ];

  services.nsd = {
    enable = true;
    port = 8053;
    ipv6 = false;
    verbosity = 2;
    identity = "home.2rjus.net server";
    interfaces = [ "0.0.0.0" ];

    keys = {
      "xferkey" = {
        algorithm = "hmac-sha256";
        keyFile = "/etc/nsd/xfer.key";
      };
    };

    zones = {
      "home.2rjus.net" = {
        provideXFR = [ "10.69.13.6 xferkey" ];
        notify = [ "10.69.13.6@8053 xferkey" ];
        data = builtins.readFile ./zones-home-2rjus-net.conf;
      };
    };
  };
}