{ config, ... }:

{
  # exposes prometheus metrics at http://127.0.0.1:8081/metrics
  services = {
    powerdns = {
      enable = true;
      secretFile = config.age.secrets.powerdns.path;
      # API_KEY=supersecret123!
      # WEBSERVER_PASSWORD=supersecre123!
      extraConfig = ''
        api=yes
        api-key=$API_KEY
        local-address=0.0.0.0, ::
        local-port=53
        log-timestamp=no  # journald already does this
        resolver=127.0.0.54:5300  # Used for ALIAS lookup
        secondary=yes
        version-string=anonymous
        webserver-password=$WEBSERVER_PASSWORD
        webserver-port=8081

        launch=bind
      '';
    };
    powerdns-admin = {
      enable = true;
      secretKeyFile = config.age.secrets.powerdns-admin-cookie-secret.path;
      saltFile = config.age.secrets.powerdns-admin-salt.path;
      extraArgs = [];
      config = ''
        # PDA
        SIGNUP_ENABLED = True
        LOCAL_DB_ENABLED = True

        # Flask
        BIND_ADDRESS = '127.0.0.1'
        PORT = 8000
        #SESSION_COOKIE_SECURE = True

        # Flask-Session
        import cachelib
        SESSION_TYPE = 'cachelib'
        SESSION_CACHELIB = cachelib.simple.SimpleCache()

        # Flask-SQLAlchemy
        SQLALCHEMY_DATABASE_URI = 'postgresql://powerdnsadmin@/powerdnsadmin?host=/run/postgresql'
        SQLALCHEMY_TRACK_MODIFICATIONS = True

        # FLask-SeaSurf
        #CSRF_COOKIE_SECURE = True
      '';
    };
    postgresql = {
      enable = true;
      package = pkgs.postgresql_18;
      ensureUsers = [
        {
          name = "pda";
          ensureDBOwnership = true;
        }
      ];
      ensureDatabases = [ "pda" ];
    };
    postgresqlBackup = {
      enable = true;
      compression = "zstd";
      startAt = "@midnight";
    };
  };
}