{
  machines,
  config,
  lib,
  pkgs,
  ...
}:
let
  inherit (lib) types;
  cfg = config.zpha.configure.dnsServer;

in
{

  options.zpha.configure.dnsServer = {
    enable = lib.mkEnableOption "";
    isPrimary = lib.mkOption {
      type = types.bool;
      default = config.networking.hostName == "cautus";
    };
  };

  config = lib.mkIf cfg.enable (
    let
      allZones =
        with pkgs.dnsNix.combinators;
        let
          TXT = [ "openpgp4fpr:BFE6386C8D66BCD4DAE14FC895F0FE7CD7E6A022" ];
          CAA = [
            {
              issuerCritical = false;
              tag = "issue";
              value = "letsencrypt.org";
            }
          ];
          NS = [
            "ns1.fc9f.de."
            "ns2.fc9f.de."
          ];
          SOA = {
            nameServer = "ns1.fc9f.de.";
            adminEmail = "dns@fc9f.de"; # Email address with a real `@`!
            serial = 0;
          };

        in
        {
          "fc9f.de" = {
            inherit NS SOA;
            subdomains = {
              acme.NS = [ "ns1" ];
              ns1 = host machines.cautus.networking.ip4Address machines.cautus.networking.ip6Address;
              ns2 = host machines.sorrah.networking.ip4Address machines.sorrah.networking.ip6Address;
            };
          };

          "zaphyra.dn42" = {
            NS = [ "ns1.zaphyra.dn42." ];
            SOA = {
              nameServer = "ns1.zaphyra.dn42.";
              adminEmail = "dns@zaphyra.eu"; # Email address with a real `@`!
              serial = 0;
            };
            subdomains = {
              ns1.AAAA = [ "fd6b:6174:6a61:53::1" ];
              ns2.AAAA = [ "fd6b:6174:6a61:53::2" ];
            };
          };

          "zaphyra.eu" = {
            inherit
              SOA
              NS
              CAA
              ;
          };

          "zaphyra.de" = {
            inherit
              SOA
              NS
              CAA
              TXT
              ;
          };

          "zpha.de" = {
            inherit
              SOA
              NS
              CAA
              TXT
              ;
          };

          "katja.wtf" = {
            inherit SOA NS CAA;
          };

          "ctucx.de" = {
            inherit SOA NS CAA;
          };

          "thein.ovh" = {
            inherit SOA NS CAA;
          };

          "ctu.cx" = {
            inherit SOA NS CAA;
            subdomains = {
              _atproto.TXT = [ "did=did:plc:zaeuok3fmh2pcp4cjiicku4i" ];
            };
          };
        };

    in
    {
      systemd.services.knot.after = lib.mkIf cfg.isPrimary [ "sops-install-secrets.service" ];

      sops.secrets.knotKeys = lib.mkIf cfg.isPrimary {
        owner = "knot";
        group = "knot";
      };

      dns = {
        enable = true;
        inherit allZones;
      };

      zpha.services = {
        knot = {
          enable = true;
          primary = cfg.isPrimary;
          zones = lib.mkIf cfg.isPrimary (
            lib.mapAttrs (_name: value: {
              file = value;
              journal-content = "all";
              zonefile-sync = -1;
              zonefile-load = "difference-no-serial";
            }) config.dns.zoneFiles
          );
        };
        knotACME = lib.mkIf cfg.isPrimary {
          enable = true;
          zone = "acme.fc9f.de";
          zones = lib.attrNames allZones;
          nameServers = [
            "ns1.fc9f.de."
          ];
          keyFile = config.sops.secrets.knotKeys.path;
        };
      };
    }
  );

}