{ pkgs, config, ... }:
{
  services.coredns = {
    enable = true;
    package = pkgs.coredns.override {
      externalPlugins = [
        {
          name = "tailscale";
          repo = "github.com/damomurf/coredns-tailscale";
          version = "750df081a3cc63f325ecfde6c30a974dc0e4bf56";
        }
      ];
      vendorHash = "sha256-X4PSkXURIJxt7ouf5jQ7j3kJegsPsk8cqXEt6kyVnVY=";
    };

    config = ''
      datarift.nl:5454 {
        bind 127.0.0.1 ::1
        tailscale datarift.nl {
          authkey {$TS_AUTHKEY}
        }
        log
        errors
      }

      .:5454 {
        bind 127.0.0.1 ::1
        forward . 127.0.0.1:5335
        log
        errors
      }
    '';
  };

  systemd.services.coredns = {
    environment = {
      HOME = "%S/coredns";
    };
    serviceConfig = {
      StateDirectory = "coredns";
      EnvironmentFile = [ config.sops.secrets.coredns-env.path ];
    };
  };
}