{ config, pkgs, lib, ... }:
let

  retiolum = pkgs.fetchgit {
    url = "https://github.com/krebs/retiolum";
    rev = "5b067937a10ea43f88f14cc6e0a5485c2ddcc826";
    sha256 = "0kczrr6dr5dmhx2kbanw46w6ig2v3w42rqhjanv87xhwkgw81l08";
  };

in
{

  imports = [ ../../modules ];

  networking.firewall.trustedInterfaces = [ "tinc.private" ];

  users.users."tinc.private".group = "tinc.private";
  users.groups."tinc.private" = { };
  users.users."tinc.private".isSystemUser = lib.mkDefault true;


  # nix-shell -p tinc_pre --run "tinc --config . generate-keys 4096"
  module.cluster.services.tinc = {
    "retiolum" = {
      networkSubnet = "10.243.0.0/16";
      port = 720;
      extraConfig = ''
        LocalDiscovery = yes
        AutoConnect = yes
      '';
      privateEd25519KeyFile =
        toString config.sops.secrets.tinc_retiolum_ed25519_key.path;
      privateRsaKeyFile = toString config.sops.secrets.tinc_retiolum_rsa_key.path;
      hosts = {
        pepe = {
          tincIp = "10.243.23.1";
          publicKey = lib.fileContents ../../assets/tinc/retiolum/host_file;
        };
        sterni = {
          tincIp = "10.243.23.3";
          publicKey = lib.fileContents ../../assets/tinc/retiolum/host_file;
        };
      };
    };
    # nix-shell -p tinc_pre --run "tinc --config . generate-keys 4096"
    "secret" = {
      networkSubnet = "10.123.42.0/24";
      port = 721;
      extraConfig = ''
        LocalDiscovery = yes
        AutoConnect = yes
      '';
      privateEd25519KeyFile =
        toString config.sops.secrets.tinc_ed25519_key.path;
      privateRsaKeyFile = toString config.sops.secrets.tinc_rsa_key.path;
      hosts = {
        sternchen = {
          tincIp = "10.123.42.25";
          publicKey = lib.fileContents ../../assets/tinc/sternchen_host_file;
        };
        sterni = {
          tincIp = "10.123.42.24";
          publicKey = lib.fileContents ../../assets/tinc/workout_host_file;
        };
        robi = {
          realAddress = [ "144.76.13.147" ];
          tincIp = "10.123.42.123";
          publicKey = lib.fileContents ../../assets/tinc/robi_host_file;
        };
      };
    };
    # nix-shell -p tinc_pre --run "tinc --config . generate-keys 4096"
    "private" = {
      networkSubnet = "10.23.42.0/24";
      extraConfig = ''
        LocalDiscovery = yes
      '';
      privateEd25519KeyFile = toString config.sops.secrets.tinc_ed25519_key.path;
      privateRsaKeyFile = toString config.sops.secrets.tinc_rsa_key.path;
      hosts = {
        pepe = {
          tincIp = "10.23.42.26";
          publicKey = lib.fileContents ../../assets/tinc/pepe_host_file;
        };
        sterni = {
          tincIp = "10.23.42.24";
          publicKey = lib.fileContents ../../assets/tinc/workout_host_file;
        };
        mobi = {
          tincIp = "10.23.42.23";
          publicKey = lib.fileContents ../../assets/tinc/mobi_host_file;
        };
        robi = {
          realAddress = [ "144.76.13.147" ];
          tincIp = "10.23.42.111";
          publicKey = lib.fileContents ../../assets/tinc/robi_host_file;
        };
      };
    };
  };

  sops.secrets.tinc_ed25519_key = { };
  sops.secrets.tinc_rsa_key = { };

  # retiolum stuff
  networking.extraHosts = builtins.readFile (toString "${retiolum}/etc.hosts");
  systemd.services."tinc.retiolum" = {
    preStart = ''
      cp -R ${retiolum}/hosts /etc/tinc/retiolum/ || true
    '';
  };

}