{ lib, dns, ... }:

let
  inherit (lib)
    filterAttrs
    mapAttrs'
    nameValuePair
    optional
    ;

  inherit (lib.extra) fuseAttrs mapSingleFuse;

  inherit (dns.lib.combinators) mx spf ttl;

  meta = (import ./.) lib;

  mkCNAME = host: { CNAME = [ host ]; };

  mkHosted =
    server:
    {
      dual ? [ ],
      v4 ? [ ],
      v6 ? [ ],
    }:
    let
      base = "${server}.${meta.nodes.${server}.site}.infra";
      mkHost = host: mapSingleFuse (_: mkCNAME host);
    in
    fuseAttrs [
      (mkHost base dual)
      (mkHost "v4.${base}" v4)
      (mkHost "v6.${base}" v6)
    ];

  cnames = builtins.mapAttrs (_: to: { CNAME = [ to ]; }) {
    "dev" = "dev.pages.codeberg.page.";
    "irc" = "public.p.lahfa.xyz.";
    "webmail" = "kurisu.dual.lahfa.xyz.";

    # Transition to new site names
    "web01.dmi01.infra" = "web01.rat01.infra";
    "web02.dmi01.infra" = "web02.rat01.infra";
    "compute01.par01.infra" = "compute01.pav01.infra";
    "storage01.par01.infra" = "storage01.pav01.infra";

    # Miscelleanous redirections
    "traque" = "traque.katvayor.net.";

    # Temporary redirection for the BDS
    # FIXME: finish the django apps module
    "gestiobds.dj" = "cof.ens.fr.";
  };

  hosted = fuseAttrs (
    builtins.attrValues (
      builtins.mapAttrs mkHosted {
        compute01.dual = [
          "analytics" # Plausible Analytics
          "arkheon" # Arkheon
          "bridge" # Signal <-> IRC bridge
          "cloud" # Nextcloud
          "code" # Collabora Online
          "demarches" # Démarches Normaliennes
          "docs" # Outline
          "grafana" # Grafana
          "nms" # LibreNMS
          "pads" # Hedgedoc
          "pass" # Vaultwarden
          "pdf" # Stirling PDF
          "saml-idp" # Satosa
          "social" # Mastodon
          "sso" # Kanidm
          "support" # Zammad support
          "telegraf" # Telegraf

          # Beta-grade machine learning API servers
          "ollama01.beta"
          "openui.beta"
          "whisper.beta"
          "stable-diffusion.beta"

          # DGSI
          "dgsi"
          "profil"
        ];

        storage01.dual = [
          "tvix-store" # tvix store
          "git" # Forgejo
          "influx" # InfluxDB
          "netbird" # Netbird
          "prometheus" # Prometheus
          "victoria-metrics" # Victoria Metrics
          "videos" # Peertube

          # Garage S3
          "*.cdn"
          "*.s3"
          "cdn"
          "s3"
          # The administration endpoint for Garage.
          "s3-admin"
        ];

        rescue01.dual = [
          "status" # Uptime Kuma
        ];

        vault01.dual = [
          "radius" # FreeRADIUS
        ];

        web01.dual = [
          "*.wp" # Wordpress
          "calendrier" # Metis
          "netbox" # Netbox
          "podcasts" # Castopod
          "push" # Ntfy.sh
          "pub" # Url de promotion (qrcodes etc...)

          # Static websites
          "eleves"
          "migrated.rz"
          "qr"
          "retired"
          "web-static"

          # Linkal
          "*.cal"
          "cal"
          "linkal"

          # Crab Fit
          "api.meet"
          "meet"
          "rdv" # C.f. loi Toubon
        ];

        web02.dual = [
          "cas-eleves" # CAS server
          "chat" # Mattermost
          "vote" # Kadenios
        ];

        web03.dual = [
          # Django Apps
          "*.webapps"
          "apps-webhook"
        ];
      }
    )
  );

  kurisuDKIM = [
    {
      selector = "kurisu";
      k = "rsa";
      s = [ "email" ];
      p = "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDa5KuK6ry+Ss2VsKL0FsDpoBlc7dcXZyp62fGqFJFJv4/GEivPWiwbr2o5oLKjQVI4kIYjIZsyQJFtI/Xcu4BrtDdBknb5WvCN8V9EvIMh3pfXOBLVx4oqw4BR7wF8Rw1J9xyfgsfK+m2n0M39XlMHH0Nuy6kU48jH9vYpZs17ZQIDAQAB";
    }
  ];
in

{
  SOA = {
    nameServer = "ns01.dgnum.eu.";
    adminEmail = "dns.dgnum.eu";
    retry = 3600;
    minimum = 300;
  };

  # Primary DNS servers
  NS = [
    "ns01.dgnum.eu." # ns-03.hubrecht.ovh
    "ns02.dgnum.eu." # kurisu.lahfa.xyz
  ];

  # dgnum.codeberg.pages
  # ALIAS = [ "codeberg.page" ];
  A = [ "217.197.91.145" ];
  AAAA = [ "2001:67c:1401:20f0::1" ];

  MX = map (ttl 3600) [ (mx.mx 10 "kurisu.lahfa.xyz.") ];

  SRV = [
    {
      service = "autodiscover";
      proto = "tcp";
      port = 443;
      target = "autoconfig.mail.lahfa.xyz.";
    }
  ];

  TXT = [
    "dgnum.codeberg.page"
    (spf.strict [ "a:kurisu.lahfa.xyz" ])
  ];
  DMARC = [ { p = "none"; } ];
  DKIM = kurisuDKIM;

  subdomains =
    hosted
    // cnames
    // {
      ns01 = {
        A = [ "51.178.27.125" ];
        AAAA = [ "2001:41d0:305:2100::542c" ];
      };
      ns02 = {
        A = [ "163.172.69.160" ];
        AAAA = [ "2001:bc8:38ee::1" ];
      };
    }
    // {
      infra = {
        MX = map (ttl 3600) [ (mx.mx 10 "kurisu.lahfa.xyz.") ];

        TXT = [ (spf.strict [ "a:kurisu.lahfa.xyz" ]) ];
        DMARC = [ { p = "none"; } ];
        DKIM = kurisuDKIM;

        subdomains = mapAttrs' (
          host:
          { site, ... }:
          let
            net = meta.network.${host};
            inherit (net.addresses) ipv4 ipv6;
          in
          nameValuePair "${host}.${site}" {
            A = ipv4;
            AAAA = ipv6;
            subdomains = {
              v4.A = ipv4;
              v6.AAAA = ipv6;
              private.A = optional (net.netbirdIp != null) net.netbirdIp;
            };
          }
        ) (filterAttrs (_: { nixpkgs, ... }: nixpkgs.system == "nixos") meta.nodes);
      };
    }
    // {
      lab = {
        NS = [ "ns01.lab.dgnum.eu." ];

        subdomains.ns01 = {
          A = [ "45.13.104.26" ];
        };
      };
    };
}