{ config, pkgs, lib, ... }:
let

  retiolum = pkgs.fetchgit {
    url = "https://github.com/krebs/retiolum.git";
    rev = "9e626816d8a48c6c328a91f0601af35a5ef0d167";
    sha256 = "0z2b1pd7ki9wbz2079arygv83ckhqsijllj25iy64lgxk6arvbla";
  };

in {

  imports = [ <modules> ];

  networking.firewall.trustedInterfaces = [ "tinc.private" ];

  # nix-shell -p tinc_pre --run "tinc --config . generate-keys 4096"
  module.cluster.services.tinc = {
    "retiolum" = {
      networkSubnet = "10.243.0.0/16";
      port = 720;
      extraConfig = ''
        LocalDiscovery = yes
        AutoConnect = yes
      '';
      privateEd25519KeyFile = toString <secrets/tinc/retiolum/ed25519_key>;
      privateRsaKeyFile = toString <secrets/tinc/retiolum/rsa_key>;
      hosts = {
        pepe = {
          tincIp = "10.243.23.1";
          publicKey = lib.fileContents <assets/tinc/retiolum/host_file>;
        };
        sterni = {
          tincIp = "10.243.23.3";
          publicKey = lib.fileContents <assets/tinc/retiolum/host_file>;
        };
        workhorse = {
          tincIp = "10.243.23.5";
          publicKey = lib.fileContents <assets/tinc/retiolum/host_file>;
        };
        workout = {
          tincIp = "10.243.23.4";
          publicKey = lib.fileContents <assets/tinc/retiolum/host_file>;
        };
      };
    };
    # nix-shell -p tinc_pre --run "tinc --config . generate-keys 4096"
    "insecure" = {
      networkSubnet = "10.123.42.0/24";
      port = 721;
      extraConfig = ''
        LocalDiscovery = yes
        AutoConnect = yes
      '';
      privateEd25519KeyFile = toString <secrets/tinc/ed25519_key>;
      privateRsaKeyFile = toString <secrets/tinc/rsa_key>;
      hosts = {
        sterni = {
          tincIp = "10.123.42.24";
          # publicKey  = lib.fileContents <assets/tinc/sterni_host_file>;
          publicKey = lib.fileContents <assets/tinc/workout_host_file>;
        };
        porani = {
          tincIp = "10.123.42.31";
          publicKey = lib.fileContents <assets/tinc/porani_host_file>;
        };
        workhorse = {
          tincIp = "10.123.42.21";
          publicKey = lib.fileContents <assets/tinc/workhorse_host_file>;
        };
        sputnik = {
          realAddress = [ "static.247.134.201.195.clients.your-server.de:721" ];
          tincIp = "10.123.42.122";
          publicKey = lib.fileContents <assets/tinc/sputnik_host_file>;
        };
      };
    };
    # nix-shell -p tinc_pre --run "tinc --config . generate-keys 4096"
    "private" = {
      networkSubnet = "10.23.42.0/24";
      extraConfig = ''
        LocalDiscovery = yes
      '';
      privateEd25519KeyFile = toString <secrets/tinc/ed25519_key>;
      privateRsaKeyFile = toString <secrets/tinc/rsa_key>;
      hosts = {
        workout = {
          tincIp = "10.23.42.27";
          publicKey = lib.fileContents <assets/tinc/workout_host_file>;
        };
        pepe = {
          tincIp = "10.23.42.26";
          publicKey = lib.fileContents <assets/tinc/pepe_host_file>;
        };
        sterni = {
          tincIp = "10.23.42.24";
          # publicKey  = lib.fileContents <assets/tinc/sterni_host_file>;
          publicKey = lib.fileContents <assets/tinc/workout_host_file>;
        };
        mobi = {
          tincIp = "10.23.42.23";
          publicKey = lib.fileContents <assets/tinc/mobi_host_file>;
        };
        #porani = {
        #  tincIp = "10.23.42.31";
        #  publicKey = lib.fileContents <assets/tinc/porani_host_file>;
        #};
        workhorse = {
          tincIp = "10.23.42.21";
          publicKey = lib.fileContents <assets/tinc/workhorse_host_file>;
        };
        sputnik = {
          realAddress = [
            # "195.201.134.247:443"
            "static.247.134.201.195.clients.your-server.de:443"
          ];
          tincIp = "10.23.42.122";
          publicKey = lib.fileContents <assets/tinc/sputnik_host_file>;
        };
      };
    };
  };

  # retiolum stuff
  networking.extraHosts = builtins.readFile (toString "${retiolum}/etc.hosts");
  systemd.services."tinc.retiolum" = {
    preStart = ''
      cp -R ${retiolum}/hosts /etc/tinc/retiolum/ || true
    '';
  };

}