{ config, ... }:
let
  domains = import ../../modules/dns/domains.nix;
  hosts = import ../../modules/hosts.nix;
in
{
  imports = [
    ../../modules/dns/authoritative.nix
    ../../modules/static-ipv6.nix
    ../../modules/monitoring/exporters.nix
  ];

  clan.core.sops.defaultGroups = [ "admins" ];

  # Public IPv6 (from modules/hosts.nix; matches the ns2 AAAA glue); SLAAC
  # doesn't bring it up here.
  cnx.staticIPv6 = {
    enable = true;
    address = hosts.${config.networking.hostName}.ipv6;
  };

  time.timeZone = "Etc/GMT-3"; # UTC+3 (fixed offset, no DST)
  services.timesyncd.enable = true;

  # ns2 = secondary (slave): pulls every zone from ns1 and accepts its NOTIFY.
  services.knot.settings.zone = map (d: {
    domain = d;
    master = [ "ns1" ];
    acl = [ "acl_ns1" ];
  }) domains;
}