{ ... }:
let
  domains = import ../../modules/dns/domains.nix;
in
{
  imports = [
    ../../modules/dns/authoritative.nix
  ];

  clan.core.sops.defaultGroups = [ "admins" ];

  time.timeZone = "Etc/GMT-3"; # UTC+3 (fixed offset, no DST)
  services.timesyncd.enable = true;

  # ns2 = secondary (slave): pulls every zone from ns1 and accepts its NOTIFY.
  services.knot.settings.zone = map (d: {
    domain = d;
    master = [ "ns1" ];
    acl = [ "acl_ns1" ];
  }) domains;
}