{ pkgs, config, ... }:
{
  services.coredns = {
    enable = true;
    package = pkgs.coredns.override {
      externalPlugins = [
        {
          name = "tailscale";
          repo = "github.com/damomurf/coredns-tailscale";
          version = "98dc7fc4862250aad9f00d1e50ac7b8e69bd2af9";
        }
      ];
    };

    config = ''
      datarift.nl:5454 {
        tailscale datarift.nl {
          authkey {$TS_AUTHKEY}
        }
        log
        errors
      }
    '';
  };

  systemd.services.coredns.serviceConfig.EnvironmentFile = [ config.sops.secrets.coredns-env.path ];
}