{ hostnames, description, ... }:

{ self, nixpkgs, fudo-home, fudo-nixos, fudo-pkgs, fudo-secrets, ... }:
with nixpkgs.lib;
let

  build-timestamp = self.sourceInfo.lastModified;

  helpers = import ./helpers.nix { lib = nixpkgs.lib; };

  networks = with nixpkgs.lib; let
    network-files = helpers.nix-files (fudo-nixos + /config/networks);
    networks = map helpers.strip-ext network-files;
  in genAttrs networks
    (network: import (fudo-nixos + /config/networks/${network}.nix));

  hosts = with nixpkgs.lib; let
  in genAttrs hostnames
    (hostname: import (fudo-nixos + /config/hosts/${host}.nix));

  pkgs-for = system: import nixpkgs {
    inherit system;
    config = {
      allowUnfree = true;
      permittedInsecurePackages = [
        "openssh-with-gssapi-8.4p1"
      ];
      overlays = [
        (import (fudo-pkgs + /overlay.nix))
        (import (fudo-nixos + /lib/overlay.nix))
      ];
    };
  };

in {
  nixopsConfigurations.default = {
    inherit nixpkgs;

    network = {
      inherit description;
      enableRollback = true;
    };
  } // (genAttrs hostnames (hostname: let
    host-cfg = hosts.${hostname}
    pkgs = pkgs-for host-cfg.arch;
    domain = host-cfg.domain;
    network-hosts = config.fudo.networks.${network}.hosts;
    host-filesystem-keys = config.fudo.secrets.files.host-filesystem-keys;
  in {config, ... }: {
    nixpkgs.pkgs = pkgs;

    imports = [
      fudo-home.nixModule
      fudo-secrets.nixModule
      fudo-nixos.nixosConfigurations.${hostname}
    ];

    deployment = {
      targetHost = network-hosts.${hostname}.ipv4-address;

      keys = mkIf (hasAttr hostname host-filesystem-keys)
        (mapAttrs (secret: secret-file: {
          keyFile = secret-file;
          user = "root";
          permissions = "0400";
        }) host-filesystem-keys.${hostname});
    };
  }));
}