{ config, ... }:
let
  cids = import [../modules/staticids.nix];
  domain = "ns.cloonar.com";
  cfg = {
    server = {
      interface = [ "0.0.0.0" "::0" ];
      interface-automatic = "yes";
      access-control = [
        "127.0.0.0/8 allow"
        "10.42.96.0/24 allow"
        "10.42.97.0/24 allow"
        "10.42.98.0/24 allow"
        "10.42.99.0/24 allow"
        "10.42.101.0/24 allow"
        "0.0.0.0/0 allow"
      ];
      tls-cert-bundle = "/var/lib/acme/unbound/fullchain.pem";
      local-zone = "\"cloonar.com\" transparent";
      local-data = [
        "\"localhost A 127.0.0.1\""
        "\"localhost.cloonar.com A 127.0.0.1\""
        "\"localhost AAAA ::1\""
        "\"localhost.cloonar.com AAAA ::1\""
        "\"fw.cloonar.com A 10.42.97.1\""
        "\"fw A 10.42.97.1\""

        "\"switch.cloonar.com IN A 10.42.97.10\""
        "\"drone.cloonar.com IN A 10.42.97.118\""
        "\"hv-02.cloonar.com IN A 10.42.97.3\""
        "\"home-assistant.cloonar.com IN A 10.42.97.20\""
        "\"home-assistant.cloonar.old IN A 10.44.97.20\""
        "\"deconz.cloonar.com IN A 10.42.97.20\""
        "\"mopidy.cloonar.com IN A 10.42.97.20\""
        "\"snapcast.cloonar.com IN A 10.42.97.20\""
        "\"cl-storage-01.cloonar.com IN A 10.42.97.9\""
        "\"git.cloonar.com IN A 10.44.97.118\""

        "\"stage.wsw.at IN A 10.254.235.22\""
        "\"prod.wsw.at IN A 10.254.217.23\""
        "\"piwik.wohnservice-wien.at IN A 10.254.240.109\""
        "\"wohnservice-wien.at IN A 10.254.240.109\""
        "\"mieterhilfe.at IN A 10.254.240.109\""
        "\"wohnpartner-wien.at IN A 10.254.240.109\""
        "\"wohnberatung-wien.at IN A 10.254.240.109\""
        "\"wienbautvor.at IN A 10.254.240.109\""
        "\"a.wohnservice-wien.at IN A 10.254.240.109\""
        "\"a.wohnpartner-wien.at IN A 10.254.240.109\""
        "\"a.stage.wohnservice-wien.at IN A 10.254.240.110\""
        "\"a.stage.mieterhilfe.at IN A 10.254.240.110\""
        "\"a.stage.wohnpartner-wien.at IN A 10.254.240.110\""
        "\"a.stage.wohnberatung-wien.at IN A 10.254.240.110\""
        "\"a.stage.wienbautvor.at IN A 10.254.240.110\""
        "\"a.stage.wienwohntbesser.at IN A 10.254.240.110\""
        "\"upgrade-staging.wohnservice-wien.at IN A 10.254.240.110\""
        "\"upgrade-staging.mieterhilfe.at IN A 10.254.240.110\""
        "\"upgrade-staging.wohnpartner-wien.at IN A 10.254.240.110\""
        "\"upgrade-staging.wohnberatung-wien.at IN A 10.254.240.110\""
        "\"upgrade-staging.wienbautvor.at IN A 10.254.240.110\""
        "\"upgrade-staging.wienwohntbesser.at IN A 10.254.240.110\""

        "\"testing.ebs.amz.at IN A 80.120.142.235\""
        "\"api.testing-ebs.amz.at IN A 80.120.142.235\""

        "\"metz.cloonar.com IN A 10.42.96.167\""
        "\"firetv-living.cloonar.com IN A 10.42.96.175\""
        "\"ps5-living.cloonar.com IN A 10.42.96.176\""

        "\"ddl-warez.to IN A 172.67.184.30\""
      ];
      local-data-ptr = [
        "\"127.0.0.1 localhost\""
        "\"::1 localhost\""
        "\"10.42.97.10 switch.cloonar.com\""
        "\"10.42.97.1 fw.cloonar.com\""
        "\"10.42.97.118 drone.cloonar.com\""
        "\"10.42.97.3 hv-02.cloonar.com\""
        "\"10.42.97.20 home-assistant.cloonar.com\""
        "\"10.42.97.9 cl-storage-01.cloonar.com\""
        "\"10.42.97.118 git.cloonar.com\""

        "\"10.254.235.22 stage.wsw.at\""
        "\"10.254.217.23 prod.wsw.at\""
        "\"10.254.240.109 wohnservice-wien.at\""
        "\"10.254.240.110 a.stage.wohnservice-wien.at\""

        "\"80.120.142.235 testing.ebs.amz.at\""

        "\"172.67.184.30 ddl-warez.to\""
      ];
    };
    forward-zone = [
      {
        name = ".";
        forward-addr = [ 
          "10.44.96.1"
          # "9.9.9.9#dns11.quad9.net"
          # "149.112.112.112#dns11.quad9.net"
        ];
      }
      {
        name = "ghetto.at.local.";
        forward-addr = [
          "10.43.97.1"
        ];
      }
      {
        name = "epicenter.works.";
        forward-addr = [
          "10.50.60.1"
        ];
      }
      {
        name = "akvorrat.at.";
        forward-addr = [
          "10.50.60.1"
        ];
      }
      {
        name = "epicenter.intra.";
        forward-addr = [
          "10.14.1.1"
        ];
      }
      {
        name = "intra.epicenter.works.";
        forward-addr = [
          "10.14.1.1"
        ];
      }
    ];
  };
in {
  users.users.unbound = {
    group = "unbound";
    isSystemUser = true;
    uid = cids.uids.unbound;
  };
  users.groups.unbound = {
    gid = cids.gids.unbound;
  };

  security.acme.certs."${domain}" = {
    group = "unbound";
  };

  containers.unbound = {
    autoStart = true;
    ephemeral = true;
    macvlans = [ "vserver" ];
    bindMounts = {
      "/var/lib/acme/unbound/" = {
        hostPath = "${config.security.acme.certs.${domain}.directory}";
        isReadOnly = true;
      };
    };
    config = { lib, config, pkgs, ... }: {
      networking = {
        hostName = "ns";
        defaultGateway = {
          address = "10.42.97.1";
          interface = "mv-vserver";
        };
        interfaces.mv-vserver = {
          ipv4.addresses = [{
            address = "10.42.97.10";
            prefixLength = 24;
          }];
        };
        firewall = {
          enable = true;
          allowedUDPPorts = [ 53 ];
          allowedTCPPorts = [ 853 ];
        };
      };
      users.users.unbound = {
        group = "unbound";
        isSystemUser = true;
        uid = cids.uids.unbound;
      };
      users.groups.unbound = {
        gid = cids.gids.unbound;
      };
      services.unbound = {
        enable = true;
        settings = cfg;
      };
      system.stateVersion = "23.05";
    };
  };
}