{ lib, config, ... }:
let
  inherit (lib) mkEnableOption mkIf tf genList;
  cfg = config.bagel.dnsimple;
in
{
  options.bagel.dnsimple = {
    enable = mkEnableOption "the DNSimple configuration";
  };

  config = mkIf cfg.enable {
    terraform.required_providers.dnsimple = {
      version = "~> 1.7.0";
      source = "dnsimple/dnsimple";
    };

    resource.secret_resource.dnsimple_token.lifecycle.prevent_destroy = true;
    resource.secret_resource.dnsimple_account.lifecycle.prevent_destroy = true;

    provider.dnsimple = {
      token = tf.ref "resource.secret_resource.dnsimple_token.value";
      account = tf.ref "resource.secret_resource.dnsimple_account.value";
    };

    resource.dnsimple_zone.forkos_org = {
      name = "forkos.org";
    };

    resource.dnsimple_zone.fleurixos_org = {
      name = "fleurixos.org";
    };

    resource.dnsimple_zone.floral_systems = {
      name = "floral.systems";
    };

    resource.dnsimple_zone.flowery_systems = {
      name = "flowery.systems";
    };

    resource.dnsimple_zone.petalpkgs_org = {
      name = "petalpkgs.org";
    };

    resource.dnsimple_zone.vzfdfp_de = {
      name = "vzfdfp.de";
    };

    resource.dnsimple_zone_record = let
      # https://registry.terraform.io/providers/dnsimple/dnsimple/latest/docs/resources/zone_record
      canonicalName = zoneName: record: let
        # TODO: make less fragile and have actual unique and stable names
        normalize = builtins.replaceStrings ["." "@"] ["_" "_root_"];
        zone = normalize zoneName;
        name = normalize record.name;
      in "${zone}_${record.type}_${name}";

      record = name: ttl: type: value: {
        inherit name ttl type value;
      };

      proxyRecords = name: ttl: type: value: [
        # kurisu.lahfa.xyz running a sniproxy:
        (record name ttl "A" "163.172.69.160")
        (record name ttl type value)
      ];

      # Creates a extra *.p record pointing to the sniproxy
      dualProxyRecords = name: ttl: type: value: lib.flatten [
        (record name ttl type value)
        (proxyRecords "${name}.p" ttl type value)
      ];

      domain = zoneName: records:
        builtins.listToAttrs (map (record: {
          name = canonicalName zoneName record;
          value = record // {
            zone_name = zoneName;
          };
        }
      ) (lib.flatten records));
      zones = domains: lib.zipAttrs (lib.mapAttrsToList (zoneName: records: domain zoneName records) domains);
    in zones {
        "flowery.systems" = [
          (record "" 300 "CNAME" "news.forkos.org")
        ];
        "vzfdfp.de" = [
        ];
    };
  };
}