let
  src = import ./npins;
  pkgs = import src.nixpkgs { };
  disko = (import src.disko { inherit (pkgs) lib; });
  diskConfig = import ./disks/ext4.nix {
    inherit (pkgs) lib;
  };
in
{
  meta = {
    nixpkgs = src.nixpkgs;
  };

  defaults = { pkgs, ... }: {
    imports = [
      ./profiles/sysadmin.nix
      ./profiles/glucagon.nix
      "${src.agenix}/modules/age.nix"
      (disko.config diskConfig)
    ];

    security.acme.defaults.email = "monitoring@federez.net";
    security.acme.acceptTerms = true;

    systemd.network.enable = true;
    networking.useDHCP = false;
    services.openssh.enable = true;

    # Enable system diffs.
    system.activationScripts.system-diff = {
      supportsDryActivation = true; # safe: only outputs to stdout
      text = ''
        if [ -e /run/current-system ]; then
          PATH=$PATH:${pkgs.nix}/bin ${pkgs.nvd}/bin/nvd diff /run/current-system $systemConfig 
        fi
      '';
    };

    # Mot de passe classique qu'on trouvera dans le "trousseau" legacy.
    users.users.root.initialHashedPassword = "$y$j9T$RoSZj8ezgR7cI8Le6xqwW/$0BI6G1Nqy/G0g0sNhQhyEedqoHsEyMFVjQgc3TPqE.4";
    system.stateVersion = "24.05";
    system.build.diskoScript = disko.diskoScript diskConfig pkgs;
    time.timeZone = "Europe/Paris";
  };

  estragon = { name, nodes, ... }: {
    deployment.tags = [ "matrix" ];
    deployment.targetHost = "estragon.federez.net";
    networking.hostName = name;

    glucagon.networking = {
      nibble = 227;
      wan-mac = "BC:24:11:5C:A4:5A";
    };

    imports = [
      ./profiles/vm.nix
      ./profiles/matrix-server.nix
      ./profiles/element.nix
      ./profiles/telegram-bot.nix
      ./profiles/irc-bot.nix
    ];
  };

  wagon = { name, nodes, ... }: {
    deployment.tags = [ "vaultwarden" "pass" "passwords" ];
    deployment.targetHost = "wagon.federez.net";
    networking.hostName = name;

    glucagon.networking = {
      nibble = 228;
      wan-mac = "BC:24:11:EA:6C:0B";
    };

    imports = [
      ./profiles/vm.nix
      ./profiles/vaultwarden.nix
    ];
  };

  lagon = { name, nodes, ... }: {
    deployment.tags = [ "keycloak" ];
    deployment.targetHost = "lagon.federez.net";
    networking.hostName = name;

    glucagon.networking = {
      nibble = 229;
      wan-mac = "BC:24:11:7F:19:60";
    };

    imports = [
      ./profiles/vm.nix
      ./profiles/keycloak.nix
    ];
  };

  klingon = { name, nodes, ... }: {
    deployment.tags = [ "monitoring" ];
    deployment.targetHost = "klingon.federez.net";
    networking.hostName = name;

    glucagon.networking = {
      nibble = 230;
      wan-mac = "BC:24:11:B7:AE:80";
    };

    imports = [
      ./profiles/vm.nix
      ./profiles/netdata.nix
    ];
  };
}