{
  pkgs,
  lib,
  ...
}:
let
  zones = (
    lib.attrsets.mapAttrs' (name: fileType: {
      name = name;
      value = ../data/zones/${name};
    }) (builtins.readDir ../data/zones)
  );

  knotConf = pkgs.writeText "knot.conf" ''
    server:
      listen: 0.0.0.0@53
      listen: ::@53

    log:
      - target: syslog
        any: info

    template:
      - id: default
        storage: /etc/knot/zones
        zonefile-load: difference-no-serial
        semantic-checks: "on"
        journal-content: all

    zone:
      - domain: eh22.intern
  '';
in
{
  imports = [ ];

  # enable knot authorative dns server
  # ref: https://search.nüschtos.de/?query=services.knot
  #      https://www.knot-dns.cz/docs/3.4/html/configuration.html
  environment.etc = (
    lib.attrsets.mapAttrs' (name: value: {
      name = "knot/zones/${name}";
      value = {
        source = value;
      };
    }) zones
  );

  services.knot = {
    enable = true;
    settingsFile = knotConf;
  };

  # configure remaining network to work
  services.resolved.enable = false;
  networking.firewall = {
    allowedTCPPorts = [ 53 ];
    allowedUDPPorts = [ 53 ];
  };

  networking = {
    interfaces.ens18 = {
      ipv4.addresses = [
        {
          address = "94.45.254.3";
          prefixLength = 25;
        }
      ];
    };
    defaultGateway = "94.45.254.1";
  };

  # DO NOT CHANGE
  # this defines the first version of NixOS that was installed on the machine so that programs with non-migratable data files are kept compatible
  home-manager.users.noc.home.stateVersion = "24.11";
  system.stateVersion = "24.11";
}