{
  inputs,
  povSelf,
  pkgs,
  lib,
  config,
  hostConfig,
  dnsNix,
  ...
}:
let
  inherit (lib) types;
  cfg = lib.getAttrFromPath povSelf config;

in
{

  options = {
    enable = {
      type = types.bool;
      default = false;
    };
    isPrimary = {
      type = types.bool;
      default = config.networking.hostName == "morio";
    };
  };

  config = lib.mkIf cfg.enable (
    let
      allZones =
        with dnsNix.combinators;
        let
          CAA = [
            {
              issuerCritical = false;
              tag = "issue";
              value = "letsencrypt.org";
            }
          ];
          NS = [
            "morio.infra.zaphyra.eu."
            "novus.infra.zaphyra.eu."
          ];
          SOA = {
            nameServer = "morio.infra.zaphyra.eu.";
            adminEmail = "dns@zaphyra.eu"; # Email address with a real `@`!
            serial = 0;
          };

        in
        {
          "zaphyra.eu" = {
            inherit SOA NS CAA;

            subdomains = {
              "acme.infra".NS = [
                "morio.infra.zaphyra.eu."
                "novus.infra.zaphyra.eu."
              ];

              "accesspoint.home.infra".AAAA = [ "2a03:4000:4d:5e:acab::2" ];
            };
          };
          "zaphyra.de" = {
            inherit SOA NS CAA;
          };
          "katja.wtf" = {
            inherit SOA NS CAA;

            subdomains = {
              #legacy-stuff (zuggeschmack server)
              "trabbi.infra".A = [ "94.16.104.148" ];
              "trabbi.infra".AAAA = [ "2a03:4000:50:e8::1" ];
            };
          };
          "ctu.cx" = {
            inherit SOA NS CAA;

            subdomains = {
              ns1 = (
                host inputs.self.hosts.morio.networking.ip4Address inputs.self.hosts.morio.networking.ip6Address
              );
              ns2 = (
                host inputs.self.hosts.novus.networking.ip4Address inputs.self.hosts.novus.networking.ip6Address
              );

              _atproto.TXT = [ "did=did:plc:zaeuok3fmh2pcp4cjiicku4i" ];
            };
          };
          "ctucx.de" = {
            inherit SOA NS CAA;
          };
          "thein.ovh" = {
            inherit SOA NS CAA;
          };
          "zuggeschmack.de" = {
            inherit SOA NS CAA;
            A = [ "94.16.104.148" ];
            AAAA = [ "2a03:4000:50:e8::1" ];
            subdomains.client.CNAME = [ "zuggeschmack.de." ];
          };
        };

    in
    {
      systemd.services.knot.after = [ "sops-install-secrets.service" ];
      sops.secrets.knotKeys = lib.mkIf cfg.isPrimary {
        owner = "knot";
        group = "knot";
      };

      dns = {
        enable = true;
        allZones = allZones;
      };

      modules.services = {
        knot = {
          enable = true;
          primary = cfg.isPrimary;
          zones = lib.mkIf cfg.isPrimary (
            config.dns.zoneFiles
            |> lib.mapAttrs (
              name: value: {
                file = value;
                journal-content = "all";
                zonefile-sync = -1;
                zonefile-load = "difference-no-serial";
              }
            )
          );
        };
        knotACME = lib.mkIf cfg.isPrimary {
          enable = true;
          zone = "acme.infra.zaphyra.eu";
          zones = lib.attrNames allZones;
          nameServers = [
            "morio.infra.zaphyra.eu."
            "novus.infra.zaphyra.eu."
          ];
          keyFile = config.sops.secrets.knotKeys.path;
        };
      };
    }
  );

}