{ config, lib, ... }:
with lib; let
  cfg = config.local.ns.server;
in
{
  options.local.ns.server = {
    enable = mkEnableOption "nsd authoritative server";
  };

  config = mkIf cfg.enable {
    networking.firewall =
      let
        inherit (config.services.nsd) port;
      in
      {
        allowedTCPPorts = [ port ];
        allowedUDPPorts = [ port ];
      };

    services.nsd = {
      enable = true;

      ipFreebind = true;

      bind8Stats = true;
      statistics = 3600;

      tcpCount = 128;
      tcpTimeout = 30;
      tcpQueryCount = 128;

      zones = mapAttrs
        (_: zone: { data = zone.content; })
        config.local.ns.zones;
    };
  };
}