{...}:
{
  config = {
    fileSystems."/var/lib/knot" =
      { device = "surtr/safe/var-lib-knot";
        fsType = "zfs";
      };
    
    services.knot = {
      enable = true;
      extraConfig = ''
        server:
          listen: 127.0.0.1@53
          listen: ::1@53
          listen: 202.61.241.61@53
          listen: 2a03:4000:52:ada::@53

        template:
         - id: default
           storage: /var/lib/knot

        policy:
          - id: rsa
            algorithm: RSASHA256
            ksk-size: 4096
            zsk-size: 2048
            zsk-lifetime: 30d

        zone:
          - domain: yggdrasil.li
            file: ${./zones/li.yggdrasil.soa}
            zonefile-sync: -1
            semantic-checks: on
            dnssec-signing: on
      '';
    };
  };
}