{ ipv4
, ipv6
, config
, optionalString
, concatStringsSep
, mapAttrsToList
, ...
}:
let
  hosts = {
    mobi = "10.23.42.23";
    sterni = "10.23.42.24";
    bobi = "10.23.42.25";
    pepe = "10.23.42.26";
    cream = "10.23.42.27";
    chungus = "10.23.42.28";
    robi = "10.23.42.111";
  };
  subDomains = {
    # robi
    "grafana.robi" = hosts.robi;
    "loki.robi" = hosts.robi;
    "prometheus.robi" = hosts.robi;
    "sync.robi" = hosts.robi;
    "transmission.robi" = hosts.robi;
    "transmission2.robi" = hosts.robi;
    # pepe
    "grafana.pepe" = hosts.pepe;
    "loki.pepe" = hosts.pepe;
    "prometheus.pepe" = hosts.pepe;
    "tdarr.pepe" = hosts.pepe;
    "tts.pepe" = hosts.pepe;
    # chungus
    "flix.chungus" = hosts.chungus;
    "grafana.chungus" = hosts.chungus;
    "loki.chungus" = hosts.chungus;
    "prometheus.chungus" = hosts.chungus;
    "sync.chungus" = hosts.chungus;
    "tdarr.chungus" = hosts.chungus;
    "trilium.chungus" = hosts.chungus;
    "tts.chungus" = hosts.chungus;
    # cream
    "trilium.cream" = hosts.cream;
  };
  network = "private";
in
{
  networking.firewall.trustedInterfaces = [ "tinc.${network}" ];

  sops.secrets.tinc_ed25519_key = { };

  #  nix-shell -p tinc_pre --run "tinc --config . generate-keys 4096"
  services.tinc.networks = {
    ${network} = {
      ed25519PrivateKeyFile = config.sops.secrets.tinc_ed25519_key.path;
      interfaceType = "tap";
      extraConfig = ''
        LocalDiscovery = yes
      '';
      hostSettings = {
        mobi = {
          subnets = [{ address = hosts.mobi; }];
          settings.Ed25519PublicKey = "X5sp3YYevVNUrzYvi+HZ2iW5WbO0bIb58jR4jZFH6MB";
        };
        cream = {
          subnets = [{ address = hosts.cream; }];
          settings.Ed25519PublicKey = "Y/YRA90mAlNEmdhUWlUTHjjsco6d6hlvW11sPtarIdL";
        };
        sterni = {
          subnets = [{ address = hosts.sterni; }];
          settings.Ed25519PublicKey = "r6mRDc814z2YtyG9ev/XXV2SgquqWR8n53V13xNXb7O";
        };
        bobi = {
          subnets = [{ address = hosts.bobi; }];
          settings.Ed25519PublicKey = "jwvNd4oAgz2cWEI74VTVYU1qgPWq823/a0iEDqJ8KMD";
        };
        pepe = {
          subnets = [{ address = hosts.pepe; }];
          settings.Ed25519PublicKey = "LnE+w6ZfNCky4Kad3TBxpFKRJ2PJshkSpW6mC3pcsPI";
        };
        chungus = {
          subnets = [{ address = hosts.chungus; }];
          settings.Ed25519PublicKey = "mJP+zzYGv42KItpSf3lMkr3dwa5xW3n3hi0W2Z75jfJ";
        };
        robi = {
          addresses = [{ address = "144.76.13.147"; }];
          subnets = [{ address = hosts.robi; }];
          settings.Ed25519PublicKey = "bZUbSdME4fwudNVbUoNO7PpoOS2xALsyTs81F260KbL";
        };
      };
    };
  };

  systemd.network.enable = true;
  systemd.network.networks.${network}.extraConfig = ''
    [Match]
    Name = tinc.${network}
    [Link]
    # tested with `ping -6 turingmachine.r -s 1378`, not sure how low it must be
    MTUBytes=1377
    [Network]
    ${optionalString (ipv4 != null) "Address=${ipv4}/24"}
    ${optionalString (ipv6 != null) "Address=${ipv6}/28"}
    RequiredForOnline = no
    LinkLocalAddressing = no
  '';

  networking.extraHosts = concatStringsSep "\n" (mapAttrsToList (name: ip: "${ip} ${name}.${network}") (hosts // subDomains));

  services.openssh.knownHosts = {
    "robi" = {
      hostNames = [ "robi.${network}" hosts.robi ];
      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK2PGX6cZuBUGX4VweMzi0aRh4uQ61yngCzZGcK3w5XV";
    };
    "sterni.${network}" = {
      hostNames = [ "sterni.${network}" hosts.sterni ];
      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEQRH4gzT4vWSx3KN80ePPYhSPZRUae/qSyEym6pJTht";
    };
    "cream.${network}" = {
      hostNames = [ "cream.${network}" hosts.cream ];
      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIConHiCL7INgAhuN6Z9TqP0zP+xNpdV7+OHwUca4IRDD";
    };
    "pepe.${network}" = {
      hostNames = [ "pepe.${network}" hosts.pepe ];
      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJPlva+Vdj8WmQPlbQLN3qicMz5AAsyTzK53BincxtAz";
    };
    "chungus.${network}" = {
      hostNames = [ "chungus.${network}" hosts.chungus ];
      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP9jrbOJbgapreRjttyOKWv5vxGMThn7kAwlk8WnSyL9";
    };
    "bobi.${network}" = {
      hostNames = [ "bobi.${network}" hosts.bobi ];
      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK0haepNVEaocfWh6kwVc4QsSg2iqO5k+hjarphBqMVk";
    };
    "mobi.${network}" = {
      hostNames = [ "mobi.${network}" hosts.mobi ];
      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE3G7TwCoxcVfwhGL0913RtacEeokqKtufhzzkCxpPxk";
    };
  };

}