{
  description = "resign-dnssec";

  inputs = {
    nixpkgs.url = "git+https://forgejo.spacetime.technology/nix-mirrors/nixpkgs?ref=nixpkgs-unstable&shallow=1";
    flake-parts.url = "git+https://forgejo.spacetime.technology/nix-mirrors/flake-parts?shallow=1";
    system.url = "git+https://forgejo.spacetime.technology/arbel/nix-system?shallow=1";
  };

  outputs = { self, ... }@inputs:
  inputs.flake-parts.lib.mkFlake { inherit inputs self; } {
  flake = {
  };
  systems = inputs.system.arches;
    perSystem = { pkgs, ... }: {
      devShells = {
        default = pkgs.mkShell {
          nativeBuildInputs = [
            pkgs.dig
            pkgs.bind
          ];
        };
      };
      apps = {
        default = self.apps.sign-root-zone;
        sign-root-zone = {
          type = "app";
          program = pkgs.writeShellApplication {
            name = "sign-root-zone";
            runtimeInputs = [ pkgs.bind pkgs.git ];
            text = /*bash*/ ''
              set -x
              tmpdir="$(mktemp -d)"
              cleanup () {
                if [ -n "$tmpdir" ]; then
                  rm -r "$tmpdir"
                fi
              }
              trap cleanup EXIT

              dnssec-keygen -K "$tmpdir" -f KSK -a ECDSA384 -b 4096 -n ZONE .
              cp "$tmpdir/"*.key ./output/anchor.key
              dnssec-dsfromkey "$tmpdir/"*.key > ./output/anchor.ds

              mkdir -p "$tmpdir/zonekey"
              dnssec-keygen -K "$tmpdir/zonekey" -a ECDSA384 -b 4096 -n ZONE .


              echo "$tmpdir"

            '';
          };
        };
      };
    };
  };
}