{ depot, lib, ... }:

{
  config = {
    environment.etc."coredns-zones" = {
      source = "${./zones}";
    };

    networking.firewall.allowedTCPPorts = [
      53  # DNS
    ];
    networking.firewall.allowedUDPPorts = [
      53  # DNS
    ];

    services.coredns = {
      enable = true;
      config = let
        zones = [
          "as205479.net"
          "28.118.92.in-addr.arpa"
          "29.118.92.in-addr.arpa"
          "30.118.92.in-addr.arpa"
          "31.118.92.in-addr.arpa"
          "0.4.4.a.9.0.a.2.ip6.arpa"
          "1.4.4.a.9.0.a.2.ip6.arpa"
          "2.4.4.a.9.0.a.2.ip6.arpa"
          "3.4.4.a.9.0.a.2.ip6.arpa"
          "4.4.4.a.9.0.a.2.ip6.arpa"
          "5.4.4.a.9.0.a.2.ip6.arpa"
          "6.4.4.a.9.0.a.2.ip6.arpa"
          "7.4.4.a.9.0.a.2.ip6.arpa"
        ];
        mkZone = zone: ''
          ${zone} {
            import zonehdr
            file /etc/coredns-zones/db.${zone} ${zone}
          }
        '';
      in ''
        . {
          chaos
          log
          errors
          acl {
            allow net 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 127.0.0.0/8 100.64.0.0/10
            allow net 92.118.28.0/22
            allow net 2a09:a440::/29 ::1/128
            block
          }
          forward . 2001:4860:4860::8888 2001:4860:4860::8844 8.8.8.8 8.8.4.4
        }

        (zonehdr) {
          prometheus
          log
          errors
          loadbalance round_robin
        }

        ${lib.concatMapStringsSep "\n" mkZone zones}
      '';
    };
  };
}