let
  src = import ./npins;
  pkgs = import src.nixpkgs { };
  disko = (import src.disko { inherit (pkgs) lib; });
  diskConfig = import ./disks/ext4.nix {
    inherit (pkgs) lib;
  };
in
{
  meta = {
    nixpkgs = src.nixpkgs;
  };

  defaults = { pkgs, ... }: {
    imports = [
      ./profiles/sysadmin.nix
      "${src.agenix}/modules/age.nix"
      (disko.config diskConfig)
    ];

    security.acme.defaults.email = "monitoring@federez.net";
    security.acme.acceptTerms = true;

    systemd.network.enable = true;
    networking.useDHCP = false;
    services.openssh.enable = true;

    # Mot de passe classique qu'on trouvera dans le "trousseau" legacy.
    users.users.root.initialHashedPassword = "$y$j9T$RoSZj8ezgR7cI8Le6xqwW/$0BI6G1Nqy/G0g0sNhQhyEedqoHsEyMFVjQgc3TPqE.4";
    system.stateVersion = "24.05";
    system.build.diskoScript = disko.diskoScript diskConfig pkgs;
    time.timeZone = "Europe/Paris";
  };

  estragon = { name, nodes, ... }: {
    deployment.tags = [ "matrix" ];
    deployment.targetHost = "estragon.federez.net";
    systemd.network.links."10-wan" = {
      matchConfig.MACAddress = "BC:24:11:5C:A4:5A";
      linkConfig.Name = "wan";
    };
    systemd.network.networks."10-wan" = {
      matchConfig.Name = "wan";
      address = [
        "172.17.8.227/22"
      ];
      routes = [
        {
          routeConfig = {
            Gateway = "172.17.11.254";
          };
        }
      ];
      linkConfig.RequiredForOnline = "routable";
    };

    networking.hostName = name;

    imports = [
      ./profiles/vm.nix
      ./profiles/matrix-server.nix
      ./profiles/element.nix
      ./profiles/telegram-bot.nix
      ./profiles/irc-bot.nix
    ];
  };

  wagon = { name, nodes, ... }: {
    deployment.tags = [ "vaultwarden" "pass" "passwords" ];
    deployment.targetHost = "wagon.federez.net";
    networking.hostName = name;

    systemd.network.links."10-wan" = {
      matchConfig.MACAddress = "BC:24:11:EA:6C:0B";
      linkConfig.Name = "wan";
    };
    systemd.network.networks."10-wan" = {
      matchConfig.Name = "wan";
      address = [
        "172.17.8.228/22"
      ];
      routes = [
        {
          routeConfig = {
            Gateway = "172.17.11.254";
          };
        }
      ];
      linkConfig.RequiredForOnline = "routable";
    };

    imports = [
      ./profiles/vm.nix
      ./profiles/vaultwarden.nix
    ];
  };

  lagon = { name, nodes, ... }: {
    deployment.tags = [ "keycloak" ];
    deployment.targetHost = "lagon.federez.net";
    networking.hostName = name;

    systemd.network.links."10-wan" = {
      matchConfig.MACAddress = "BC:24:11:7F:19:60";
      linkConfig.Name = "wan";
    };
    systemd.network.networks."10-wan" = {
      matchConfig.Name = "wan";
      address = [
        "172.17.8.229/22"
      ];
      routes = [
        {
          routeConfig = {
            Gateway = "172.17.11.254";
          };
        }
      ];
      linkConfig.RequiredForOnline = "routable";
    };

    imports = [
      ./profiles/vm.nix
      ./profiles/keycloak.nix
    ];
  };

}