{ config, pkgs, ... }:
let
  cids = import ../modules/staticids.nix;
  domain = "ns.cloonar.com";
  cfg = {
    remote-control = {
      control-enable = true;
      control-use-cert = false;
    };
    server = {
      interface = [ "0.0.0.0" "::0" ];
      interface-automatic = "yes";
      access-control = [
        "127.0.0.0/8 allow"
        "10.42.96.0/24 allow"
        "10.42.97.0/24 allow"
        "10.42.98.0/24 allow"
        "10.42.99.0/24 allow"
        "10.42.101.0/24 allow"
        "0.0.0.0/0 allow"
      ];
      tls-cert-bundle = "/var/lib/acme/unbound/fullchain.pem";
      local-zone = "\"cloonar.com\" transparent";
      local-data = [
        "\"localhost A 127.0.0.1\""
        "\"localhost.cloonar.com A 127.0.0.1\""
        "\"localhost AAAA ::1\""
        "\"localhost.cloonar.com AAAA ::1\""
        "\"fw.cloonar.com A 10.42.97.1\""
        "\"fw A 10.42.97.1\""

        "\"switch.cloonar.com IN A 10.42.97.10\""
        "\"drone.cloonar.com IN A 10.42.97.118\""
        "\"hv-02.cloonar.com IN A 10.42.97.3\""
        "\"home-assistant.cloonar.com IN A 10.42.97.20\""
        "\"home-assistant.cloonar.old IN A 10.44.97.20\""
        "\"deconz.cloonar.com IN A 10.42.97.20\""
        "\"mopidy.cloonar.com IN A 10.42.97.20\""
        "\"snapcast.cloonar.com IN A 10.42.97.20\""
        "\"cl-storage-01.cloonar.com IN A 10.42.97.9\""
        "\"git.cloonar.old IN A 10.44.97.118\""

        "\"stage.wsw.at IN A 10.254.235.22\""
        "\"prod.wsw.at IN A 10.254.217.23\""
        "\"piwik.wohnservice-wien.at IN A 10.254.240.109\""
        "\"wohnservice-wien.at IN A 10.254.240.109\""
        "\"mieterhilfe.at IN A 10.254.240.109\""
        "\"wohnpartner-wien.at IN A 10.254.240.109\""
        "\"wohnberatung-wien.at IN A 10.254.240.109\""
        "\"wienbautvor.at IN A 10.254.240.109\""
        "\"a.wohnservice-wien.at IN A 10.254.240.109\""
        "\"a.wohnpartner-wien.at IN A 10.254.240.109\""
        "\"a.stage.wohnservice-wien.at IN A 10.254.240.110\""
        "\"a.stage.mieterhilfe.at IN A 10.254.240.110\""
        "\"a.stage.wohnpartner-wien.at IN A 10.254.240.110\""
        "\"a.stage.wohnberatung-wien.at IN A 10.254.240.110\""
        "\"a.stage.wienbautvor.at IN A 10.254.240.110\""
        "\"a.stage.wienwohntbesser.at IN A 10.254.240.110\""
        "\"upgrade-staging.wohnservice-wien.at IN A 10.254.240.110\""
        "\"upgrade-staging.mieterhilfe.at IN A 10.254.240.110\""
        "\"upgrade-staging.wohnpartner-wien.at IN A 10.254.240.110\""
        "\"upgrade-staging.wohnberatung-wien.at IN A 10.254.240.110\""
        "\"upgrade-staging.wienbautvor.at IN A 10.254.240.110\""
        "\"upgrade-staging.wienwohntbesser.at IN A 10.254.240.110\""

        "\"testing.ebs.amz.at IN A 80.120.142.235\""
        "\"api.testing-ebs.amz.at IN A 80.120.142.235\""

        "\"metz.cloonar.com IN A 10.42.96.167\""
        "\"firetv-living.cloonar.com IN A 10.42.96.175\""
        "\"ps5-living.cloonar.com IN A 10.42.96.176\""

        "\"ddl-warez.to IN A 172.67.184.30\""
      ];
      local-data-ptr = [
        "\"127.0.0.1 localhost\""
        "\"::1 localhost\""
        "\"10.42.97.10 switch.cloonar.com\""
        "\"10.42.97.1 fw.cloonar.com\""
        "\"10.42.97.118 drone.cloonar.com\""
        "\"10.42.97.3 hv-02.cloonar.com\""
        "\"10.42.97.20 home-assistant.cloonar.com\""
        "\"10.42.97.9 cl-storage-01.cloonar.com\""

        "\"10.254.235.22 stage.wsw.at\""
        "\"10.254.217.23 prod.wsw.at\""
        "\"10.254.240.109 wohnservice-wien.at\""
        "\"10.254.240.110 a.stage.wohnservice-wien.at\""

        "\"80.120.142.235 testing.ebs.amz.at\""

        "\"172.67.184.30 ddl-warez.to\""
      ];
    };
    forward-zone = [
      {
        name = "ghetto.at.local.";
        forward-addr = [
          "10.43.97.1"
        ];
      }
      {
        name = "epicenter.works.";
        forward-addr = [
          "10.50.60.1"
        ];
      }
      {
        name = "akvorrat.at.";
        forward-addr = [
          "10.50.60.1"
        ];
      }
      {
        name = "epicenter.intra.";
        forward-addr = [
          "10.14.1.1"
        ];
      }
      {
        name = "intra.epicenter.works.";
        forward-addr = [
          "10.14.1.1"
        ];
      }
      {
        name = ".";
        forward-addr = [ 
          # "10.44.96.1"
          # "9.9.9.9#dns11.quad9.net"
          # "149.112.112.112#dns11.quad9.net"
          "9.9.9.9"
          "149.112.112.112"
        ];
      }
    ];
  };
in {
  users.users.unbound = {
    group = "unbound";
    isSystemUser = true;
    uid = cids.uids.unbound;
  };
  users.groups.unbound = {
    gid = cids.gids.unbound;
  };

  security.acme.certs."${domain}" = {
    group = "unbound";
  };

  containers.ns = {
    autoStart = true;
    ephemeral = true;
    macvlans = [ "vserver" ];
    bindMounts = {
      "/var/lib/acme/unbound/" = {
        hostPath = "${config.security.acme.certs.${domain}.directory}";
        isReadOnly = true;
      };
      "/var/lib/kea/dhcp4.leases" = {
        hostPath = "/var/lib/kea/dhcp4.leases";
        isReadOnly = true;
      };
    };
    config = { lib, config, pkgs, ... }: {
      networking = {
        hostName = "ns";
        defaultGateway = {
          address = "10.42.97.1";
          interface = "mv-vserver";
        };
        interfaces.mv-vserver = {
          ipv4.addresses = [{
            address = "10.42.97.10";
            prefixLength = 24;
          }];
        };
        firewall = {
          enable = true;
          allowedUDPPorts = [ 53 ];
          allowedTCPPorts = [ 853 ];
        };
      };
      users.users.unbound = {
        group = "unbound";
        isSystemUser = true;
        uid = cids.uids.unbound;
      };
      users.groups.unbound = {
        gid = cids.gids.unbound;
      };
      services.unbound = {
        enable = true;
        settings = cfg;
      };
      systemd.services.unbound-sync = {
        enable = true;
        path = with pkgs; [ unbound inotify-tools ];
        script = ''
          function readFile() {
            if [[ "''\$2" == "A" ]] ; then
              cat "''\$1" | tail -n +2 | while IFS=, read -r address hwaddr client_id valid_lifetime expire subnet_id fqdn_fwd fqdn_rev hostname state user_context
              do
                echo "''\${address},''\${hostname}"
              done
            else
              cat "''\$1" | tail -n +2 | while IFS=, read -r address duid valid_lifetime expire subnet_id pref_lifetime lease_type iaid prefix_len fqdn_fwd fqdn_rev hostname hwaddr state user_context hwtype hwaddr_source
              do
                echo "''\${address},''\${hostname}"
              done
            fi    
          }     
              
          function readFileUnique() {
            readFile "''\$1" ''\$2 | uniq | while IFS=, read -r address hostname
            do  
              if [[ "''\${hostname}" == *.cloonar.com ]] ; then
                echo ''\${hostname} ''\$2 ''\${address}
                unbound-control local_data ''\${hostname} ''\$2 ''\${address}
                if [[ "''\$2" == "A" ]] ; then
                  echo ''\${address} | while IFS=. read -r ip0 ip1 ip2 ip3
                  do
                    unbound-control local_data ''\${ip3}.''\${ip2}.''\${ip1}.''\${ip0}.ip4.arpa. PTR ''\${hostname}
                    unbound-control local_data ''\${ip3}.''\${ip2}.''\${ip1}.''\${ip0}.in-addr.arpa. PTR ''\${hostname}
                  done
                fi
              fi
            done
          } 
          
          function syncFile() {
            readFileUnique "''\$1" "''\$2"
            while inotifywait -e close_write,create "''\$1" ; do
              readFileUnique "''\$1" "''\$2"
            done 
          }

          syncFile "/var/lib/kea/dhcp4.leases" A &
          # syncFile "/var/lib/kea/dhcp6.leases" AAAA &
          wait
        '';
        wants = [ "network-online.target" "unbound.service" ];
        after = [ "network-online.target" "unbound.service" ];
        partOf = [ "unbound.service" ];
        wantedBy = [ "multi-user.target" ];
      };
      system.stateVersion = "23.05";
    };
  };
}