{
  pkgs,
  ...
}:
let
  noc_eh22_internZone = ''
    $ORIGIN noc.eh22.intern.
    $TTL 3600

    ; zone management
    noc.eh22.intern.    IN SOA auth-dns.noc.eh22.intern. noc.eh22.esterhegg.eu. (
      1       ; serial (automatically incremented by knot)
      7200    ; refresh
      3600    ; retry
      3600000 ; expire
      60      ; negative response caching ttl
    )
    @           IN  NS   auth-dns

    ; A/AAAA records
    proxmox     IN  A    10.31.210.248
    auth-dns    IN  A    10.31.210.253
  '';

  knotConf = pkgs.writeText "knot.conf" ''
    server:
      listen: 0.0.0.0@53
      listen: ::@53

    log:
      - target: syslog
        any: info

    template:
      - id: default
        storage: /etc/knot/zones
        zonefile-load: difference-no-serial
        semantic-checks: "on"
        journal-content: all

    zone:
      - domain: noc.eh22.intern
  '';
in
{
  imports = [ ];

  # enable knot authorative dns server
  # ref: https://search.nüschtos.de/?query=services.knot
  #      https://www.knot-dns.cz/docs/3.4/html/configuration.html
  environment.etc."knot/zones/noc.eh22.intern.zone".text = noc_eh22_internZone;
  services.knot = {
    enable = true;
    settingsFile = knotConf;
  };

  # DO NOT CHANGE
  # this defines the first version of NixOS that was installed on the machine so that programs with non-migratable data files are kept compatible
  home-manager.users.noc.home.stateVersion = "24.11";
  system.stateVersion = "24.11";
}