{ config, lib, ... }:
with lib; let
  cfg = config.local.ns.server;
in
{
  options.local.ns.server = {
    enable = mkEnableOption "nsd authoritative server";

    tsigName = mkOption {
      type = types.str;
      default = "NOKEY";
    };
  };

  config = mkIf cfg.enable {
    assertions = [
      {
        assertion = cfg.tsigName == "NOKEY" || config.services.nsd.keys ? "${cfg.tsigName}";
        message = "TSIG key '${cfg.tsigName}' not defined";
      }
    ];

    networking.firewall =
      let
        inherit (config.services.nsd) port;
      in
      {
        allowedTCPPorts = [ port ];
        allowedUDPPorts = [ port ];
      };

    services.nsd = {
      enable = true;

      ipFreebind = true;

      bind8Stats = true;
      statistics = 3600;

      tcpCount = 128;
      tcpTimeout = 30;
      tcpQueryCount = 128;

      zones = mapAttrs' (name: zone: nameValuePair "${name}." zone.nsdConfig) config.local.ns.zones;
    };
  };
}