{ ipv4
, ipv6
, config
, optionalString
, concatStringsSep
, mapAttrsToList
, ...
  hosts = {
    mobi = "";
    sterni = "";
    bobi = "";
    pepe = "";
    cream = "";
    chungus = "";
    robi = "";
  subDomains = {
    # robi
    "grafana.robi" = hosts.robi;
    "loki.robi" = hosts.robi;
    "prometheus.robi" = hosts.robi;
    "sync.robi" = hosts.robi;
    "transmission.robi" = hosts.robi;
    "transmission2.robi" = hosts.robi;
    # pepe
    "grafana.pepe" = hosts.pepe;
    "loki.pepe" = hosts.pepe;
    "prometheus.pepe" = hosts.pepe;
    "tdarr.pepe" = hosts.pepe;
    "tts.pepe" = hosts.pepe;
    # chungus
    "flix.chungus" = hosts.chungus;
    "grafana.chungus" = hosts.chungus;
    "loki.chungus" = hosts.chungus;
    "prometheus.chungus" = hosts.chungus;
    "sync.chungus" = hosts.chungus;
    "tdarr.chungus" = hosts.chungus;
    "trilium.chungus" = hosts.chungus;
    "tts.chungus" = hosts.chungus;
    # cream
    "trilium.cream" = hosts.cream;
  network = "private";
  networking.firewall.trustedInterfaces = [ "tinc.${network}" ];

  sops.secrets.tinc_ed25519_key = { };

  #  nix-shell -p tinc_pre --run "tinc --config . generate-keys 4096"
  services.tinc.networks = {
    ${network} = {
      ed25519PrivateKeyFile = config.sops.secrets.tinc_ed25519_key.path;
      interfaceType = "tap";
      extraConfig = ''
        LocalDiscovery = yes
      hostSettings = {
        mobi = {
          subnets = [{ address = hosts.mobi; }];
          settings.Ed25519PublicKey = "X5sp3YYevVNUrzYvi+HZ2iW5WbO0bIb58jR4jZFH6MB";
        cream = {
          subnets = [{ address = hosts.cream; }];
          settings.Ed25519PublicKey = "Y/YRA90mAlNEmdhUWlUTHjjsco6d6hlvW11sPtarIdL";
        sterni = {
          subnets = [{ address = hosts.sterni; }];
          settings.Ed25519PublicKey = "r6mRDc814z2YtyG9ev/XXV2SgquqWR8n53V13xNXb7O";
        bobi = {
          subnets = [{ address = hosts.bobi; }];
          settings.Ed25519PublicKey = "jwvNd4oAgz2cWEI74VTVYU1qgPWq823/a0iEDqJ8KMD";
        pepe = {
          subnets = [{ address = hosts.pepe; }];
          settings.Ed25519PublicKey = "LnE+w6ZfNCky4Kad3TBxpFKRJ2PJshkSpW6mC3pcsPI";
        chungus = {
          subnets = [{ address = hosts.chungus; }];
          settings.Ed25519PublicKey = "mJP+zzYGv42KItpSf3lMkr3dwa5xW3n3hi0W2Z75jfJ";
        robi = {
          addresses = [{ address = ""; }];
          subnets = [{ address = hosts.robi; }];
          settings.Ed25519PublicKey = "bZUbSdME4fwudNVbUoNO7PpoOS2xALsyTs81F260KbL";

  systemd.network.enable = true;
  systemd.network.networks.${network}.extraConfig = ''
    Name = tinc.${network}
    # tested with `ping -6 turingmachine.r -s 1378`, not sure how low it must be
    ${optionalString (ipv4 != null) "Address=${ipv4}/24"}
    ${optionalString (ipv6 != null) "Address=${ipv6}/28"}
    RequiredForOnline = no
    LinkLocalAddressing = no

  networking.extraHosts = concatStringsSep "\n" (mapAttrsToList (name: ip: "${ip} ${name}.${network}") (hosts // subDomains));

  services.openssh.knownHosts = {
    "robi" = {
      hostNames = [ "robi.${network}" hosts.robi ];
      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK2PGX6cZuBUGX4VweMzi0aRh4uQ61yngCzZGcK3w5XV";
    "sterni.${network}" = {
      hostNames = [ "sterni.${network}" hosts.sterni ];
      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEQRH4gzT4vWSx3KN80ePPYhSPZRUae/qSyEym6pJTht";
    "cream.${network}" = {
      hostNames = [ "cream.${network}" hosts.cream ];
      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIConHiCL7INgAhuN6Z9TqP0zP+xNpdV7+OHwUca4IRDD";
    "pepe.${network}" = {
      hostNames = [ "pepe.${network}" hosts.pepe ];
      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJPlva+Vdj8WmQPlbQLN3qicMz5AAsyTzK53BincxtAz";
    "chungus.${network}" = {
      hostNames = [ "chungus.${network}" hosts.chungus ];
      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP9jrbOJbgapreRjttyOKWv5vxGMThn7kAwlk8WnSyL9";
    "bobi.${network}" = {
      hostNames = [ "bobi.${network}" hosts.bobi ];
      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK0haepNVEaocfWh6kwVc4QsSg2iqO5k+hjarphBqMVk";
    "mobi.${network}" = {
      hostNames = [ "mobi.${network}" hosts.mobi ];
      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE3G7TwCoxcVfwhGL0913RtacEeokqKtufhzzkCxpPxk";
