{
  config,
  lib,
  vaculib,
  ...
}:
let
  s = v: [ v ];
  inherit (config.vacu) dnsData;
  trip_ips = s dnsData.tripPublicV4;
  prop_ips = s dnsData.propPublicV4;
  solis_ips = s config.vacu.hosts.solis.primaryIp;
  mail_thing = s "178.128.79.152";
  # which domains to allow dmarc reports.
  # ex: _dmarc.dis8.net TXT has "rua=rua-reports@shelvacu.com", reports will only be sent if shelvacu.com allows them
  # allow all domains configured in this repo, and one level of subdomain (ideally all but thats hard, this should be good enough)
  allow_report_domains = lib.pipe config.vacu.dns [
    lib.attrNames
    (lib.concatMap (domain: [domain "*.${domain}"]))
  ];
  # dmarc_allow = { TXT = [ "v=DMARC1" ]; };
in
{
  vacu.dns."shelvacu.com" =
    { ... }:
    {
      imports = [
        dnsData.modules.cloudns
        dnsData.modules.liamMailRootDomain
      ];
      A = trip_ips;
      CAA = [
        {
          issuerCritical = true;
          tag = "issue";
          value = "letsencrypt.org";
        }
        {
          issuerCritical = true;
          tag = "issue";
          value = "sectigo.com";
        }
        {
          issuerCritical = true;
          tag = "issuewild";
          value = "letsencrypt.org";
        }
        {
          issuerCritical = false;
          tag = "iodef";
          value = "mailto:caa-violation@shelvacu.com";
        }
      ];
      subdomains = {
        # "*".A = trip_ips;
        # "2esrever.zt".A = s "10.244.46.71";
        auth.A = trip_ips;
        autoconfig.A = mail_thing;
        awoo.A = s "45.142.157.71";
        # "frosting.zt".A = [ "10.244.141.219" ];
        id.A = trip_ips;
        imap.A = mail_thing;
        mail.A = mail_thing;
        #"ms-7522.zt.shelvacu.com". clearly unused
        nixcache.A = trip_ips;
        #powerhouse: dynamic
        prop.CNAME = s "prophecy";
        prophecy.A = prop_ips;
        prophecy.subdomains.garage.subdomains = {
          s3.A = prop_ips;
          admin.A = prop_ips;
        };
        mumble.A = prop_ips;
        sol.CNAME = s "solis";
        solis.A = solis_ips;
        solis.subdomains.garage.subdomains = {
          s3.A = solis_ips;
          admin.A = solis_ips;
        };
        servacu.A = s "167.99.161.174";
        smtp.A = mail_thing;
        trip.A = trip_ips;
        ns1.CNAME = s "pns51.cloudns.net.";
        ns2.CNAME = s "pns52.cloudns.net.";
        ns3.CNAME = s "pns53.cloudns.net.";
        ns4.CNAME = s "pns54.cloudns.net.";
        _acme-challenge.CNAME = s "5cb20bf7-5203-417f-b729-fa3a3ad3b775.auwwth.dis8.net.";
        hzo3bcydh5khtpeio6zrzb7kwcwiccnh.subdomains._domainkey.CNAME = s "hzo3bcydh5khtpeio6zrzb7kwcwiccnh.dkim.amazonses.com.";
        mlsend2.subdomains._domainkey.CNAME = s "mlsend2._domainkey.mailersend.net.";
        # mta.CNAME = s "mailersend.net.";
        www.A = trip_ips;
        # skipping hosted-email-verify=y3cjgqb2
        _atproto.TXT = s "did=did:plc:oqenurzqeji6ulii3myxls64";
        # "duo-1720147659938-f009dc8e._domainkey".TXT = "v=DKIM1; k=rsa; s=email; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCyH6BNRePSuI7Vs+bPd1MfFSp+O0XkYLOF4j6azRp4a80vi9wOWcCO5PEMOt4nsepwp2WyV0u9N/8XWzBQEK5x2ABFkBkHwfzN6Afm9n6H6tOjNORhGP/cv2txiNhdoPamQdTttqrYZGYGxJyj5pSuc+cXNx5UxUr2a+FKdxuWewIDAQAB";
        ft.subdomains = {
          "*".A = s "45.87.250.193";
          _acme-challenge.CNAME = s "17aa43aa-9295-4522-8cf2-b94ba537753d.auth.acme-dns.io.";
        };
        dav-experiment.A = prop_ips;
        "_report._dmarc".subdomains = vaculib.mapNamesToAttrsConst { TXT = s "v=DMARC1"; } allow_report_domains;
      };
    };
}