{ constants, ... }:

{
  services.resolved.enable = false;
  networking.resolvconf.enable = false;

  networking.nameservers = [ "127.0.0.1" ];

  services.coredns = {
    enable = true;
    config = with constants; ''
      .:53 {
        bind 0.0.0.0
        hosts {
          ${hosts.sid.ip} ${ca-fqdn} 

          ${hosts.rx4.ip} rx4.tail
          ${hosts.sid.ip} sid.tail
          ${hosts.vde.ip} vde.tail

          ${hosts.sid.ip} ${services.netdata.fqdn}
          ${hosts.sid.ip} ${services.vaultwarden.fqdn}
          ${hosts.sid.ip} ${services.webdav.fqdn}

          fallthrough
        }
        forward . 1.1.1.1 8.8.8.8
        cache 30
        log
        errors
      }
    '';
  };

  networking.firewall.allowedUDPPorts = [ 53 ];
  networking.firewall.allowedTCPPorts = [ 53 ];
}