index: { lib, pkgs, config, assignments, allAssignments, ... }:
let
  inherit (builtins) attrNames elemAt;
  inherit (lib.my) net;
  inherit (lib.my.c) pubDomain;
  inherit (lib.my.c.home) prefixes vips routers;

  name = elemAt routers index;
  otherIndex = 1 - index;
  otherName = elemAt routers otherIndex;

  authZones = attrNames config.my.pdns.auth.bind.zones;
in
{
  config = {
    my = {
      secrets.files = {
        "home/pdns/auth.conf" = {
          owner = "pdns";
          group = "pdns";
        };
        "home/pdns/recursor.conf" = {
          owner = "pdns-recursor";
          group = "pdns-recursor";
        };
        "home/ddclient-cloudflare.key" = {};
      };

      pdns.recursor = {
        enable = true;
        extraSettingsFile = config.age.secrets."home/pdns/recursor.conf".path;
      };
    };

    services = {
      pdns-recursor = {
        dns = {
          address = [
            "127.0.0.1" "::1"
            assignments.hi.ipv4.address assignments.hi.ipv6.address
            assignments.lo.ipv4.address assignments.lo.ipv6.address
          ];
          allowFrom = [
            "127.0.0.0/8" "::1/128"
            prefixes.hi.v4 prefixes.hi.v6
            prefixes.lo.v4 prefixes.lo.v6
          ] ++ (with lib.my.c.tailscale.prefix; [ v4 v6 ]);
        };

        settings = {
          query-local-address = [
            "0.0.0.0"
            "::"
          ];
          forward-zones = map (z: "${z}=127.0.0.1:5353") authZones;

          # DNS NOTIFY messages override TTL
          allow-notify-for = authZones;
          allow-notify-from = [ "127.0.0.0/8" "::1/128" ];

          webserver = true;
          webserver-address = "::";
          webserver-allow-from = [ "127.0.0.1" "::1" ];
        };
      };
    };

    systemd = {
      services = {
        # Add AF_NETLINK to allow pulling IP from network interfaces
        pdns.serviceConfig.RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6 AF_NETLINK";
        ddns-update = {
          description = "DNS update script";
          after = [ "network.target" ];
          path = [
            (pkgs.python3.withPackages (ps: [ ps.cloudflare ]))
            pkgs.ldns
          ];
          serviceConfig = {
            Type = "oneshot";
            ExecStart =
              ''${./dns_update.py} -k ${config.age.secrets."home/ddclient-cloudflare.key".path} '' +
              ''${pubDomain} ns${toString (index + 1)}.${config.networking.domain}'';
          };
          wantedBy = [ "multi-user.target" ];
        };
      };
      timers = {
        ddns-update = {
          description = "Periodically update DNS";
          wantedBy = [ "timers.target" ];
          timerConfig = {
            OnBootSec = "5min";
            OnUnitInactiveSec = "5min";
          };
        };
      };
    };

    environment.systemPackages = with pkgs; [
      # For rec_control
      pdns-recursor
      sqlite
    ];

    my.pdns.auth = {
      enable = true;
      extraSettingsFile = config.age.secrets."home/pdns/auth.conf".path;
      settings = {
        primary = true;
        resolver = "127.0.0.1";
        expand-alias = true;
        local-address = [
          "0.0.0.0:5353" "[::]:5353"
        ];
        also-notify = [ "127.0.0.1" ];
        enable-lua-records = true;
        # loglevel = 7;
        # log-dns-queries = true;
        # log-dns-details = true;

        api = true;
        webserver = true;
        webserver-address = "::";
        webserver-allow-from = [ "127.0.0.1" "::1" ];

        dnsupdate = true;
        launch = [ "gsqlite3" ];
        gsqlite3-database = "/var/lib/pdns/dynamic.sqlite3";
      };

      bind.zones =
      let
        names = [ "core" "hi" "lo" "untrusted" ];
        i = toString (index + 1);
      in
      {
        "${config.networking.domain}" = {
          type = "master";
          text = ''
            $TTL 60
            @ IN SOA ns${i}.${config.networking.domain}. dev.nul.ie. (
              @@SERIAL@@ ; serial
              3h ; refresh
              1h ; retry
              1w ; expire
              1h ; minimum
            )

            ${name} IN LUA ${lib.my.dns.ifaceA {
              inherit pkgs;
              iface = "wan";
              skipBroadcasts = [ (lib.my.netBroadcast prefixes.modem.v4) ];
            }}
            ${otherName} IN LUA ${lib.my.dns.lookupIP {
              inherit pkgs;
              hostname = "${otherName}.${config.networking.domain}";
              server = net.cidr.host (otherIndex + 1) prefixes.hi.v4;
            }}
            ${elemAt routers 0} IN AAAA ${net.cidr.host 1 prefixes.hi.v6}
            ${elemAt routers 1} IN AAAA ${net.cidr.host 2 prefixes.hi.v6}

            @ IN NS ns1
            @ IN NS ns2
            ns1 IN ALIAS ${elemAt routers 0}.${config.networking.domain}.
            ns2 IN ALIAS ${elemAt routers 1}.${config.networking.domain}.

            dyn IN NS ns1.dyn.h.nul.ie.
            dyn IN NS ns2.dyn.h.nul.ie.
            ns1.dyn.h.nul.ie. IN ALIAS ${elemAt routers 0}.${config.networking.domain}.
            ns2.dyn.h.nul.ie. IN ALIAS ${elemAt routers 1}.${config.networking.domain}.

            jim-core IN A ${net.cidr.host 10 prefixes.core.v4}
            jim IN A ${net.cidr.host 10 prefixes.hi.v4}
            jim IN AAAA ${net.cidr.host (65536+1) prefixes.hi.v6}
            jim-lo IN A ${net.cidr.host 10 prefixes.lo.v4}
            jim-lo IN AAAA ${net.cidr.host (65536+1) prefixes.lo.v6}

            dave-core IN A ${net.cidr.host 11 prefixes.core.v4}
            dave IN A ${net.cidr.host 11 prefixes.hi.v4}
            dave IN AAAA ${net.cidr.host (65536+2) prefixes.hi.v6}
            dave-lo IN A ${net.cidr.host 11 prefixes.lo.v4}
            dave-lo IN AAAA ${net.cidr.host (65536+2) prefixes.lo.v6}

            shytzel IN A ${net.cidr.host 12 prefixes.core.v4}

            wave IN A ${net.cidr.host 12 prefixes.hi.v4}
            wave IN AAAA ${net.cidr.host (65536+3) prefixes.hi.v6}
            vibe IN A ${net.cidr.host 13 prefixes.hi.v4}
            vibe IN AAAA ${net.cidr.host (65536+4) prefixes.hi.v6}

            ups IN A ${net.cidr.host 20 prefixes.lo.v4}
            palace-kvm IN A ${net.cidr.host 21 prefixes.lo.v4}

            ${lib.my.dns.fwdRecords {
              inherit allAssignments names;
              domain = config.networking.domain;
            }}
          '';
        };
        "168.192.in-addr.arpa" = {
          type = "master";
          text = ''
            $TTL 60
            @ IN SOA ns${i}.${config.networking.domain}. dev.nul.ie. (
              @@SERIAL@@ ; serial
              3h ; refresh
              1h ; retry
              1w ; expire
              1h ; minimum
            )

            @ IN NS ns1.${config.networking.domain}.
            @ IN NS ns2.${config.networking.domain}.

            ${lib.my.dns.ptrRecords {
              inherit allAssignments names;
              domain = config.networking.domain;
              ndots = 2;
            }}
          '';
        };
        "0.d.4.0.0.c.7.9.e.0.a.2.ip6.arpa" = {
          type = "master";
          text = ''
            $TTL 60
            @ IN SOA ns${i}.${config.networking.domain}. dev.nul.ie. (
              @@SERIAL@@ ; serial
              3h ; refresh
              1h ; retry
              1w ; expire
              1h ; minimum
            )

            @ IN NS ns1.${config.networking.domain}.
            @ IN NS ns2.${config.networking.domain}.

            ${lib.my.dns.ptr6Records {
              inherit allAssignments names;
              domain = config.networking.domain;
              ndots = 20;
            }}
          '';
        };
      };
    };
  };
}