{ config, ... }:
let
  fqdn = "tuxcord.net";
  # fqdn = config.networking.fqdn;

  zonesub = _: "zonesub";
  subdomain = name: "subdomain ${name}";

  # careful, assumes the fqdn (name) matches the key name content
  keys = [
    {
      name = "tuxcord.net";
      path = config.age.secrets.dns-root-key.path;
      type = zonesub;
    }
  ];
in
{
  services.bind = {
    enable = true;

    extraConfig = builtins.concatStringsSep "\n" (map (key: "include \"${key.path}\";") keys);

    zones = {
      "${fqdn}" = {
        # grant "tuxcord.net" zonesub ANY;
        extraConfig = ''
          update-policy {
            ${builtins.concatStringsSep "\n" (
              map (key: "grant \"${key.name}\" ${key.type key.name} ANY;") keys
            )}
          };
        '';
        file = "/var/dns/${fqdn}.zone"; # need to put default stuff
        master = true;
      };
    };
  };

  networking.firewall.allowedTCPPorts = [ config.services.bind.listenOnPort ];
  networking.firewall.allowedUDPPorts = [ config.services.bind.listenOnPort ];

  environment.persistence."/persist" = {
    directories = [
      {
        directory = "/var/dns";
        group = "named";
        user = "named";
      }
    ];
  };
}