{ pkgs, writeCommand, lib, secrets }:
let

  # command that ensures we use flake.nix during switch
  command = targetPath:
    let
      commandLine =
        "TMPDIR=/tmp nixos-rebuild build --flake ${targetPath} -L --keep-going";
    in ''
      echo '${commandLine}'
      nix-shell \
       -E "with import <nixpkgs> {}; mkShell { buildInputs = [ git (nixos { nix.package = nixFlakes; }).nixos-rebuild ]; }" \
       --run '${commandLine}'
    '';

  #secrets = name: {
  #  secrets.pass = {
  #    dir = toString ~/.password-store;
  #    name = "krops/${name}/secrets";
  #  };
  #  common_secrets.pass = {
  #    dir = toString ~/.password-store;
  #    name = "krops/common_secrets";
  #  };
  #};

  #desktopSecrets = {
  #  desktop_secrets.pass = {
  #    dir = toString ~/.password-store;
  #    name = "krops/desktop_secrets";
  #  };
  #};

  source = {
    secrets.file = "${secrets}/secrets";
    assets.file = toString ./assets;
    private_assets.pass = {
      dir = toString ~/.password-store;
      name = "krops/private_assets";
    };
    configs.file = toString ./configs;
    library.file = toString ./library;
    modules.file = toString ./modules;
    pkgs.file = toString ./pkgs;
    system.file = toString ./system;
    "flake.nix".file = toString ./flake.nix;
    "flake.lock".file = toString ./flake.lock;
    "configurations.nix".file = toString ./configurations.nix;
    #mqtt.file = toString ./mqtt;

    #backup-module.file = toString ~/dev/backup;
    backup-module.git = {
      url = "https://git.ingolf-wagner.de/nix-modules/backup.git";
      ref = "1.3.3";
    };

    #kops-lib.file = toString ~/dev/krops-lib;
    krops-lib.git = {
      url = "https://git.ingolf-wagner.de/nix-modules/krops.git";
      ref = "1.0.3";
    };

    #cluster-module.file = toString ~/dev/cluster-module;
    cluster-module.git = {
      url = "https://git.ingolf-wagner.de/nix-modules/cluster.git";
      ref = "1.2.0";
    };

  };

in {
  sterni = let
    system = writeCommand "/bin/system" {
      source = lib.evalSource [ source ];
      force = true;
      target = lib.mkTarget "root@sterni.private/var/krops";
      inherit command;
    };
    network = writeCommand "/bin/secrets" {
      source = lib.evalSource [{
        system-connections.pass = {
          dir = toString ~/.password-store;
          name = "krops/desktop_secrets/network-manager/system-connections";
        };
      }];
      force = true;
      target = lib.mkTarget "root@sterni.private/etc/NetworkManager";
    };
  in pkgs.writers.writeBash "/bin/sterni" ''
    #echo "deploy network secerts"
    #${network}/bin/secrets

    echo "deploy system"
    ${system}/bin/system
  '';
}