# Authoritative domain name server
# Copyright (C) 2022  Nguyễn Gia Phong
#
# This file is part of loang configuration.
#
# Loang configuration is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as published
# by the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# Loang configuration is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with loang configuration.  If not, see <https://www.gnu.org/licenses/>.

{ ... }:
let
  localZone = serial: let s = toString serial;
  in ''
    @ SOA  danh.loang.net. cnx.loang.net. ${s} 14400 3600 604800 3600
    @ NS   danh.loang.net.
    @ A    37.205.11.127
    @ AAAA 2a03:3b40:100::1:2
  '';
  openNICZone = domain: serial: {
    domain = domain;
    file = builtins.toFile "${domain}.zone" (localZone serial);
    dnssec-signing = false;
  };
in {
  networking.firewall = {
    allowedTCPPorts = [ 53 ];
    allowedUDPPorts = [ 53 ];
  };

  services.knot = {
    enable = true;
    keyFiles = [
      "/var/lib/knot/keys/update/xrvs.net"
    ];
    settings = {
      server.listen = [ "0.0.0.0@53" "::@53" ];
      remote = [
        {
          id = "secondary";
          address = [ "204.87.183.53@53" "2607:7c80:54:6::53@53" ];
        }
      ];
      log = [
        {
          target = "syslog";
          any = "info";
        }
      ];
      acl = [
        {
          id = "secondary";
          address = [ "204.87.183.53" "2607:7c80:54:6::53" ];
          action = "transfer";
        }
        {
          id = "xarvos";
          key = "xrvs.net";
          action = "update";
          update-owner = "key";
        }
      ];
      template = [
        {
          id = "default";
          storage = "/var/lib/knot/zones";
          file = "%s";
          dnssec-signing = true;
        }
      ];
      zone = [
        (openNICZone "cercle.libre" 2023021702)
        {
          domain = "cnx.gdn";
          notify = "secondary";
          acl = [ "secondary" ];
        }
        {
          domain = "loang.net";
          notify = "secondary";
          acl = [ "secondary" ];
        }
        (openNICZone "musike.pirate" 2023071727)
        (openNICZone "rub.parody" 2023032101)
        {
          domain = "sinyx.indy";
          file = builtins.toFile "sinyx.indy.zone"
            ((localZone 2023022002) + ''
              * A    37.205.11.127
              * AAAA 2a03:3b40:100::1:2
            '');
          dnssec-signing = false;
        }
        (openNICZone "striproman.pirate" 2023022023)
        {
          domain = "xrvs.net";
          notify = "secondary";
          acl = [ "secondary" "xarvos" ];
        }
      ];
    };
  };
}