{ pkgs, lib, config, ... }:

with lib;
let

in {
  config = {
    users = {
      users = {
        backplane-powerdns = {
          isSystemUser = true;
        };
        backplane-dns = {
          isSystemUser = true;
        };
      };

      groups = {
        backplane-powerdns = {
          members = [ "backplane-powerdns" ];
        };
        backplane-dns = {
          members = [ "backplane-dns" ];
        };
      };
    };

    fudo = {
      password.file-generator = {
        dns_backplane_powerdns = {
          file = "/srv/backplane/dns/secure/db_powerdns.passwd";
          user = config.services.postgresql.superUser;
          group = "backplane-powerdns";
          restart-services = [
            "backplane-dns-config-generator.service"
            "postgresql-password-setter.service"
            "backplane-powerdns.service"
          ];
        };
        dns_backplane_database = {
          file = "/srv/backplane/dns/secure/db_backplane.passwd";
          user = config.services.postgresql.superUser;
          group = "backplane-dns";
          restart-services = [
            "backplane-dns.service"
            "postgresql-password-setter.service"
          ];
        };
      };

      postgresql = {
        enable = true;
        required-services = [ "fudo-passwords.target" ];

        users = {
          backplane_powerdns = {
            password-file = "/srv/backplane/dns/secure/db_powerdns.passwd";
            databases = {
              backplane_dns = {
                access = "CONNECT";
                # entity-access = {
                #   "ALL TABLES IN SCHEMA public" = "SELECT";
                # };
                entity-access = {
                  "ALL TABLES IN SCHEMA public" = "SELECT,INSERT,UPDATE,DELETE";
                  "ALL SEQUENCES IN SCHEMA public" = "SELECT,UPDATE";
                };
              };
            };
          };
          backplane_dns = {
            password-file = "/srv/backplane/dns/secure/db_backplane.passwd";
            databases = {
              backplane_dns = {
                access = "CONNECT";
                entity-access = {
                  "ALL TABLES IN SCHEMA public" = "SELECT,INSERT,UPDATE,DELETE";
                  "ALL SEQUENCES IN SCHEMA public" = "SELECT,UPDATE";
                };
              };
            };
          };
        };

        databases = {
          backplane_dns = {
            users = ["niten"];
          };
        };
      };

      backplane.dns = {
        enable = true;
        listen-v4-addresses = [ "208.81.3.126" ];
        listen-v6-addresses = [ "[2605:e200:d200:1:6d:e2ff:fee1:adca]" ];
        required-services = [ "fudo-passwords.target" ];
        user = "backplane-dns";
        group = "backplane-dns";
        database = {
          username = "backplane_powerdns";
          database = "backplane_dns";
          # Uses an IP to avoid cyclical dependency...not really relevant, but
          # whatever
          host = "127.0.0.1";
          password-file = "/srv/backplane/dns/secure/db_powerdns.passwd";
        };
        backplane = {
          host = "backplane.fudo.org";
          role = "service-dns";
          password-file = "/srv/backplane/dns/secure/backplane.passwd";
          database = {
            username = "backplane_dns";
            database = "backplane_dns";
            host = "127.0.0.1";
            password-file = "/srv/backplane/dns/secure/db_backplane.passwd";
          };
        };
      };
    };
  };
}