{ lib, inputs, ... }: {
  kyouma.deployment.tags = [ "dns" ];
  networking.firewall.allowedTCPPorts = [ 53 ];
  networking.firewall.allowedUDPPorts = [ 53 ];
  services.knot = {
    enable = true;
    settings = {
      server.listen = [
        "0.0.0.0@53"
        "::@53"
      ];
      acl.transfer = {
        action = "transfer";
        address = [
          "2a0f:be01:0:100::b00b"
          "45.150.123.11"
          "2603:c020:8001:9fff::b00b"
          "130.162.45.58"
          "2a03:4000:27:74::b00b"
          "185.244.193.190"
        ];
      };
      policy.ecdsa = {
        algorithm = "ecdsap256sha256";
        nsec3 = true;
        signing-threads = 4;
        zsk-lifetime = "60d";
      };
      remote = {
        ns1.address = [ "2a03:4000:27:74::b00b" ];
        ns2.address = [ "2603:c020:8001:9fff::b00b" ];
      };
      template = {
        unsigned = {
          acl = "transfer";
          notify = [ "ns1" "ns2" ];
          zonefile-load = "difference";
        };
        signed = {
          acl = "transfer";
          dnssec-signing = true;
          dnssec-policy = "ecdsa";
          notify = [ "ns1" "ns2" ];
          semantic-checks = true;
          zonefile-load = "difference";
        };
      };
      zone = let
        dns = inputs.dns;
        ztemp = import ./template.nix { inherit dns; };
        zones = map (fileName: lib.removeSuffix ".nix" fileName) (
          builtins.attrNames (lib.filterAttrs (name: type: type == "regular") (builtins.readDir ./zones)));
        zoneCfg = domain: {
          file = dns.util.writeZone "${domain}" (import zones/${domain}.nix { inherit dns ztemp; }).zone;
          template = "signed";
        };
      in lib.recursiveUpdate (lib.genAttrs zones (zoneCfg)) {
        "frotti.ng" = {
          template = "unsigned";
        };
      };
    };
  };
}