{ pkgs, lib, config, ... }:
with builtins;
let
  inherit (builtins.extraBuiltins) pass git;
  inherit (lib) toInt;
  inherit (pkgs.lib) unlinesAttrs types;
  inherit (config) networking;
  inherit (config.services) nsd rspamd;
  # Use the Git commit time of the ${domain}.nix file to set the serial number.
  # WARNING: the ${domain}.nix must be committed into Git for this to work.
  serial = domain: toString (git ./. [ "log" "-1" "--format=%ct" "--" (domain + ".nix") ]);
  # FIXME: make dedicated config options
  mermetIPv4 = "80.67.180.129";
  chomskyIPv4 = "91.216.110.36";
  domain = "autogeree.net";
in
{
services.nsd.zones."${domain}" = {
  # DOC: https://docs.gandi.net/en/domain_names/advanced_users/secondary_nameserver.html
  # DOC: https://www.sidn.nl/en/dnssec/dnssec-signatures-in-bind-named
  provideXFR = [ "217.70.177.40 NOKEY" ];
  # Not allowed by 217.70.177.40
  #notify     = [ "217.70.177.40 NOKEY" ];
  dnssec = false;
  # TODO: increase the TTL once things have settled down
  data = ''
    $ORIGIN ${domain}.
    $TTL 500

    ; SOA (Start Of Authority)
    @ SOA ns admin (
      ${toString (toInt (serial domain) - 1581021859 + 2016043001)} ; Serial number
      24h   ; Refresh
      15m   ; Retry
      1000h ; Expire (1000h)
      1d    ; Negative caching
    )

    ; NS (Name Server)
    @ NS ns
    @ NS ns6.gandi.net.

    ; A (DNS -> IPv4)
    @ A ${mermetIPv4}
    chomsky A ${chomskyIPv4}
    mermet  A ${mermetIPv4}

    ; CNAME
    autoconfig CNAME mermet
    code       CNAME mermet
    git        CNAME mermet
    imap       CNAME mermet
    mail       CNAME mermet
    ns         CNAME mermet
    pop        CNAME mermet
    smtp       CNAME mermet
    submission CNAME mermet
    www        CNAME mermet

    ; SPF (Sender Policy Framework)
    @ 3600 IN SPF "v=spf1 mx ip4:${mermetIPv4} -all"
    @ 3600 IN TXT "v=spf1 mx ip4:${mermetIPv4} -all"

    ; MX (Mail eXchange)
    @ 180 MX 5 mail

    ; SRV (SeRVice)
    _git._tcp.git 18000 IN SRV 0 0 9418 git
  '';
};
}