{ config, ... }:
{
  services.coredns = {
    enable = true;

    config = ''
      datarift.nl:5454 {
        bind 127.0.0.1 ::1
        tailscale datarift.nl {
          authkey {$TS_AUTHKEY}
          fallthrough
        }
        forward . 127.0.0.1:5335
        log
        errors
      }

      .:5454 {
        bind 127.0.0.1 ::1
        forward . 127.0.0.1:5335
        log
        errors
      }
    '';
  };

  systemd.services.coredns = {
    environment = {
      HOME = "%S/coredns";
    };
    serviceConfig = {
      StateDirectory = "coredns";
      EnvironmentFile = [ config.sops.secrets.coredns-env.path ];
    };
  };
}