{ lib, pkgs, config, ... }:
let
  #pdns_database = "/var/lib/powerdns/pdns.sqlite3";
  #pdnsa_database = "/var/lib/powerdns-admin/pdnsa.sqlite3";
  cfg = import ./vars.nix;
  webport = cfg.powerdns-admin.port;
  webdbport = cfg.powerdns-admin.dbport;
  pdns_database = "pdns";
  pdns_user = "pdns";
  pdns_password = builtins.readFile /etc/nixos/keys/powerdns-dbpassword;
  pdnsa_database = "powerdnsadmin";
  pdnsa_password = builtins.readFile /etc/nixos/keys/powerdnsadmin-dbpassword;
  pgsql_host = "/run/postgresql";
  pdns_web_port = "8081";
  pdns_api_key = builtins.readFile /etc/nixos/keys/powerdns-apikey;
in
{

  imports = [
    ./podman.nix
    ./podman-postgresql.nix # for the database
    ./postgresql.nix #to be dismissed
    #./nginx.nix             # for the webserver
  ];

  #sops.secrets."powerdns-admin/db" = { };
  #sops.secrets."powerdns-admin/env" = { };

  services.powerdns = {
    enable = true;
    extraConfig = ''
      launch=gpgsql
      gpgsql-host=${pgsql_host}
      gpgsql-dbname=${pdns_database}
      gpgsql-user=${pdns_user}
      gpgsql-password=${pdns_password}
      webserver=yes
      webserver-port=${pdns_web_port}
      webserver-address=0.0.0.0
      webserver-allow-from=0.0.0.0/0
      api=yes
      api-key=${pdns_api_key}
    '';
  };

  #services.podman-postgresql."${pdnsa_database}" = {
  #  enable = true;
  #  image = "docker.io/library/postgres:15-alpine";
  #  port = (lib.strings.toInt webdbport);
  #  passwordFile = config.sops.secrets."powerdns-admin/db".path;
  #};

  #virtualisation.oci-containers.containers.powerdnsadmin = {
  #  image = "docker.io/powerdnsadmin/pda-legacy";
  #  environment = {
  #    TZ = "Europe/Berlin";
  #  };
  #  environmentFiles = [ config.sops.secrets."powerdns-admin/env".path ];
  #  ports = [
  #    "${webport}:80"
  #  ];
  #  extraOptions = cfg.podman.extraOptions;
  #};

  services.postgresql = {
    ensureDatabases = [ pdns_database pdnsa_database];
    ensureUsers = [
      {
        name = pdns_user;
        ensurePermissions = {
          "DATABASE ${pdns_database}" = "ALL PRIVILEGES";
        };
      }
      {
        name = pdnsa_database;
        ensurePermissions = {
          "DATABASE ${pdnsa_database}" = "ALL PRIVILEGES";
        };
      }
    ];
  };

  services.postgresqlBackup.databases = [
    pdns_database
    pdnsa_database
  ];

  systemd.services."pdns.service" = {
    after = [ "postgresql.service" ];
  };

  networking.firewall.allowedTCPPorts = [ 53 5432 8081 ];
  networking.firewall.allowedUDPPorts = [ 53 ];
}

# vim: set et ts=2 sw=2 ai: