{ config, lib, pkgs, ... }:

let primaryIp = "10.0.0.11";

in {
  config = {
    boot = { loader.grub.copyKernels = true; };

    networking = {
      interfaces = {
        enp3s0f0.useDHCP = false;
        enp3s0f1.useDHCP = false;
        enp4s0f0.useDHCP = false;
        enp4s0f1.useDHCP = false;

        intif0 = {
          useDHCP = false;
          ipv4.addresses = [{
            address = primaryIp;
            prefixLength = 16;
          }];
        };
      };

      defaultGateway = {
        address = "10.0.0.1";
        interface = "intif0";
      };
    };

    environment = {
      etc = {
        nixos.source = "/etc/nixos-live";
        NIXOS.source = "/state/host/NIXOS";
      };
      systemPackages = with pkgs; [ nixopsUnstable openssl ];
    };

    security.sudo.extraConfig = ''
      # Due to rollback, sudo will lecture after every reboot
      Defaults lecture = never
    '';

    fudo = {
      secrets = {
        secret-group = "fudo-secrets";
        secret-users = [ "niten" ];
        secret-paths = [ "/secrets" ];
      };
      hosts.lambda.encrypted-filesystems.secrets = {
        encrypted-device =
          "/dev/disk/by-id/scsi-3600508b1001c2f439e343270a365a5bd-part1";
        key-path = "/state/secrets-key/key";
        filesystem-type = "btrfs";
        remove-key = false;
        type = "luks2";
        mountpoints = {
          "/secrets" = {
            options = [ "noatime" "compress=zstd" ];
            group = "fudo-secrets";
            users = [ "niten" ];
            world-readable = false;
          };
        };
      };
    };

    systemd = {
      tmpfiles.rules = [ "L /etc/adjtime - - - - /state/etc/adjtime" ];
    };
  };
}