{ config, pkgs, lib, ... }:

let
  domain = "hexname.com";
  dbIp = "10.89.0.25";
  pdnsIp = "10.89.0.53";
in
{
  virtualisation.oci-containers.containers = {
    hexname-postgres = {
      hostname = "pgsql";
      image = "postgres:18-alpine";
      ports = [
        "127.0.0.1:5432:5432"
      ];
      volumes = [
        "pgsql:/var/lib/postgresql/data:Z"
        "/etc/localtime:/etc/localtime:ro"
      ];
      environment = {
        POSTGRES_USER = "hexname-backend";
        POSTGRES_PASSWORD = "EZQVObWjoEM7bldX2wu5oyJkgBIMfoU8OZZf";
      };
      networks = [ "hexname-net" ];
      extraOptions = [
        "--dns=10.89.0.1"
        "--ip=${dbIp}"
      ];
    };

    hexname-powerdns = {
      image = "pschiffe/pdns-pgsql:latest";
      hostname = "ns1.${domain}";
      ports = [
        "127.0.0.1:8081:8081/tcp"
      ];
      networks = [ "hexname-net" ];

      volumes = [
        "/etc/localtime:/etc/localtime:ro"
      ];

      environmentFiles = [ "/etc/env/hexname/powerdns.env" ];
      environment = {
        # PDNS_primary = "yes";
        PDNS_api = "yes";
        PDNS_disable_axfr = "yes";
        #PDNS_webserver = "yes";
        PDNS_webserver_address = "0.0.0.0";
        PDNS_webserver_port = "8081";
        PDNS_local_address = "${pdnsIp}:53";
        PDNS_webserver_allow_from = "10.89.0.0/24";
        PDNS_version_string = "anonymous";
        PDNS_default_ttl = "3600";

        # PDNS_gpgsql_password=...
        # PDNS_api_key=...

        # PDNS_gpgsql_host = "127.0.0.1";
        # PDNS_gpgsql_port = "5432";
        # PDNS_gpgsql_dbname = "powerdns";
        # PDNS_gpgsql_user = "postgres";
        # PDNS_gpgsql_password = "powerdns";
      };

      extraOptions = [
        # "--network=host"
        "--ip=${pdnsIp}"
        "--add-host=pgsql:${dbIp}"
      ];
      dependsOn = [ "hexname-postgres" ];
    };
  };

  systemd.services.podman-network-hexname = {
    description = "Podman network for HexName/PowerDNS";
    after = [ "podman.service" ];
    wantedBy = [ "multi-user.target" "podman-hexname-postgres.target" "podman-hexname-powerdns.target" ];
    serviceConfig.Type = "oneshot";
    path = [ pkgs.podman ] ;
    script = ''
      podman network inspect hexname-net >/dev/null 2>&1 || \
        podman network create hexname-net --subnet 10.89.0.0/24
    '';
  };

  # Bind port 53 and send all requests to the container
  networking.nftables.enable = true;
  networking.nftables.tables.dns = {
    family = "inet";
    content = ''
      chain prerouting {
        type nat hook prerouting priority -100;

        udp dport 53 dnat ip to ${pdnsIp}:53
        tcp dport 53 dnat ip to ${pdnsIp}:53
      }

      chain postrouting {
        type nat hook postrouting priority 100;
        ip saddr 10.89.0.0/24 masquerade
      }
    '';
  };

  networking.firewall.allowedTCPPorts = [ 53 ];
  networking.firewall.allowedUDPPorts = [ 53 ];
}