{ config, lib, pkgs, ... }:

let
  primary = ''
    allow-axfr-ips = 10.0.0.0/8,127.0.0.0/8
    allow-dnsupdate-from = 10.0.0.0/8,127.0.0.0/8
    also-notify = 10.10.0.3 10.10.0.4 10.10.0.5
    only-notify =

    default-soa-content = primary.ns.vapor.systems hostmaster.@ 0 10800 3600 604800 3600

    gpgsql-dbname = pdns
    gpgsql-host = /var/run/postgresql
    gpgsql-port = 5432
    gpgsql-user = pdns
    launch = gpgsql

    api = yes
    local-address = 0.0.0.0 [::]
    primary = yes
    webserver = yes
    webserver-address = 10.10.0.1
    webserver-allow-from = 10.0.0.0/8,127.0.0.0/8
    api-key = $PDNS_API_KEY
  '';

  autoprimary = pkgs.writeText "autoprimary.conf" ''
    10.10.0.1
  '';

  bind = pkgs.writeText "named.conf" ''
    include "/var/lib/pdns/named-autosecondary.conf";
  '';

  secondary = ''
    autosecondary = yes
    bind-config = ${bind}
    bind-supermaster-config = /var/lib/pdns/named-autosecondary.conf
    bind-supermaster-destdir = /var/lib/pdns/zones
    bind-supermasters = ${autoprimary}
    guardian = yes
    launch = bind
    local-address = 0.0.0.0 [::]
    secondary = yes

    allow-notify-from = 10.10.0.1/32
  '';
in
{
  options.services.powerdns = {
    role = lib.mkOption {
      type = lib.types.enum [ "primary" "secondary" ];
    };
  };

  config = {
    environment.systemPackages = [ pkgs.powerdns ];
    services.powerdns = {
      enable = true;
      extraConfig =
        if config.services.powerdns.role == "primary"
        then primary
        else secondary;
      secretFile = "/etc/secrets/pdns_api.env";
    };

    services.powerdns-admin = {
      enable = true;
      secretKeyFile = "/var/lib/pdns/secret.key";
      saltFile = "/var/lib/pdns/salt";
      extraArgs = [ "-b" "10.10.0.1:8000" ];
      config = ''
        SQLALCHEMY_DATABASE_URI = 'postgresql://powerdnsadmin@/pdns?host=/run/postgresql'
        # SAML_ENABLED = True
        # SAML_DEBUG = True
        # SAML_METADATA_URL = 'https://auth.vapor.systems/application/saml/powerdns/metadata/'
        # SAML_METADATA_CACHE_LIFETIME = 1
        # SAML_LOGOUT_URL = 'https://auth.vapor.systems/application/saml/powerdns/slo/binding/redirect/'
        # SAML_SP_ENTITY_ID = 'pdns-admin'
        # SAML_SP_CONTACT_NAME = 'me'
        # SAML_SP_CONTACT_MAIL = 'me'
        # SAML_NAMEID_FORMAT = 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent'
        # SAML_ATTRIBUTE_USERNAME = 'http://schemas.goauthentik.io/2021/02/saml/username'
        # SAML_ATTRIBUTE_NAME = 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name'
        # SAML_ATTRIBUTE_EMAIL = 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress'
        # SAML_ATTRIBUTE_GROUP = 'http://schemas.xmlsoap.org/claims/Group'
        # SAML_GROUP_ADMIN_NAME = 'admin'
        # SAML_SIGN_REQUEST = False
        # SAML_ASSERTION_ENCRYPTED = False
        # SAML_WANT_MESSAGE_SIGNED = False
        # SAML_CERT = '/var/lib/pdns/saml.crt'
      '';
    };

    security.acme.certs = {
      "vapor.systems" = {
        extraDomainNames = [ "*.vapor.systems" ];
      };
    };

    services.nginx = {
      enable = true;
      defaultListenAddresses = [ "178.63.224.13" ];
      virtualHosts."ns.vapor.systems" = {
        addSSL = true;
        useACMEHost = "vapor.systems";
        locations."/" = {
          proxyPass = "http://10.10.0.1:8000";
          proxyWebsockets = true;
          extraConfig =
            "proxy_pass_header Authorization;"
          ;
        };
      };
    };

    systemd.services.powerdns-admin.serviceConfig = {
      BindPaths = [ "/run/postgresql" ];
    };

    services.postgresql = {
      ensureDatabases = [ "pdns" ];
      ensureUsers = [
        {
          name = "pdns";
          ensurePermissions = { "DATABASE pdns" = "ALL PRIVILEGES"; };
        }
        {
          name = "powerdnsadmin";
          ensurePermissions = { "DATABASE pdns" = "ALL PRIVILEGES"; };
        }
      ];
    };
  };
}