let
  src = import ./npins;
  pkgs = import src.nixpkgs {
    config.permittedInsecurePackages = [ "olm-3.2.16" ];
  };
  disko = (import src.disko { inherit (pkgs) lib; });
  diskConfig = import ./disks/ext4.nix {
    inherit (pkgs) lib;
  };
in
{
  meta = {
    nixpkgs = pkgs;
    nodeNixpkgs = {
      # FIXME discourse est cassé en unstable
      pendragon = src."nixpkgs-24.11";
    };
  };

  # FIXME
  nixpkgs.config.permittedInsecurePackage = [ "olm-3.2.16" ];

  defaults = { pkgs, lib, ... }: {
    imports = [
      ./profiles/sysadmin.nix
      #./profiles/ldap.nix
      "${src.agenix}/modules/age.nix"
    ];

    deployment.targetHost = "${name}.federez.net";
    networking.hostName = name;

    security.acme.defaults.email = "monitoring@federez.net";
    security.acme.acceptTerms = true;

    systemd.network.enable = true;
    networking.useDHCP = false;
    services.openssh.enable = true;
    networking.nftables.enable = true;

    # Enable system diffs.
    system.activationScripts.system-diff = {
      supportsDryActivation = true; # safe: only outputs to stdout
      text = ''
        if [ -e /run/current-system ]; then
          PATH=$PATH:${pkgs.nix}/bin ${pkgs.nvd}/bin/nvd diff /run/current-system $systemConfig 
        fi
      '';
    };

    # Mot de passe classique qu'on trouvera dans le "trousseau" legacy.
    users.users.root.initialHashedPassword = "$y$j9T$RoSZj8ezgR7cI8Le6xqwW/$0BI6G1Nqy/G0g0sNhQhyEedqoHsEyMFVjQgc3TPqE.4";
    system.stateVersion = "24.05";
    time.timeZone = "Europe/Paris";
  };

  vogon = { ... }: {
    deployment.tags = [ "hypervisor" ];
    networking.hostId = "1751e2a7";

    imports = [
      ./profiles/vogon.nix
      ./profiles/incus.nix
    ];
  };

  estragon = { pkgs, ... }: {
    deployment.tags = [ "matrix" ];

    glucagon.networking = {
      nibble = 227;
      wan-mac = "BC:24:11:5C:A4:5A";
    };

    infra-net.leaf = {
      mac = "BC:24:11:AC:7B:59";
      id = 12;
    };

    imports = [
      (disko.config diskConfig)
      ./profiles/vm.nix
      ./profiles/glucagon.nix
      ./profiles/infra-net.nix
      ./profiles/matrix-server.nix
      ./profiles/element.nix
      ./profiles/telegram-bot.nix
      ./profiles/irc-bot.nix
    ];

    system.build.diskoScript = disko.diskoScript diskConfig pkgs;
  };

  wagon = { pkgs, ... }: {
    deployment.tags = [ "vaultwarden" "pass" "passwords" ];

    glucagon.networking = {
      nibble = 228;
      wan-mac = "BC:24:11:EA:6C:0B";
    };

    infra-net.leaf = {
      mac = "BC:24:11:5A:0F:44";
      id = 8;
    };

    imports = [
      (disko.config diskConfig)
      ./profiles/vm.nix
      ./profiles/glucagon.nix
      ./profiles/infra-net.nix
      ./profiles/vaultwarden.nix
    ];

    system.build.diskoScript = disko.diskoScript diskConfig pkgs;
  };

  lagon = { pkgs, ... }: {
    deployment.tags = [ "keycloak" "wayf" ];

    glucagon.networking = {
      nibble = 229;
      wan-mac = "BC:24:11:7F:19:60";
    };

    infra-net.leaf = {
      mac = "BC:24:11:91:61:8E";
      id = 9;
    };

    imports = [
      (disko.config diskConfig)
      ./profiles/vm.nix
      ./profiles/glucagon.nix
      ./profiles/infra-net.nix
      ./profiles/wayf.nix
    ];

    system.build.diskoScript = disko.diskoScript diskConfig pkgs;
  };

  aragon = { pkgs, ... }: {
    deployment.tags = [ "gitlab" ];

    glucagon.networking = {
      nibble = 231;
      wan-mac = "BC:24:11:E3:12:4A";
    };

    infra-net.leaf = {
      mac = "BC:24:11:E4:C7:69";
      id = 10;
    };

    imports = [
      (disko.config diskConfig)
      ./profiles/vm.nix
      ./profiles/glucagon.nix
      ./profiles/infra-net.nix
      ./profiles/gitlab.nix
    ];

    system.build.diskoScript = disko.diskoScript diskConfig pkgs;
  };

  pendragon = { pkgs, ... }: {
    deployment.tags = [ "discourse" ];

    glucagon.networking = {
      nibble = 233;
      wan-mac = "BC:24:11:C2:AA:47";
    };

    infra-net.leaf = {
      mac = "BC:24:11:31:B8:DD";
      id = 11;
    };

    imports = [
      (disko.config diskConfig)
      ./profiles/vm.nix
      ./profiles/glucagon.nix
      ./profiles/infra-net.nix
      ./profiles/discourse.nix
    ];

    system.build.diskoScript = disko.diskoScript diskConfig pkgs;
  };

  perdrigon = { pkgs, ... }: {
    deployment.tags = [ "indico" ];

    glucagon.networking = {
      nibble = 234;
      wan-mac = "BC:24:11:04:9B:51";
    };

    infra-net.leaf = {
      mac = "BC:24:11:09:B8:76";
      id = 17;
    };

    imports = [
      (disko.config diskConfig)
      ./profiles/vm.nix
      ./profiles/indico.nix
    ];
  };

  martagon = { name, nodes, ... }: {
    deployment.tags = [ "victoria" "grafana" ];
    deployment.targetHost = "martagon.federez.net";
    federez.monitoring.apiKey = "370a181d-6b00-4c3d-af27-ca65e6e4c1b0";
    networking.hostName = name;

    glucagon.networking = {
      nibble = 236;
      wan-mac = "BC:24:11:7A:F6:2F";
    };

    imports = [
      ./profiles/vm.nix
      ./profiles/victoria.nix
      ./profiles/grafana.nix
    ];
  };
}