{ config, lib, pkgs, ... }:

with lib;
let
  state-dir = "/state";

  inherit (config.instance) hostname;

  vmConfig = { pkgs, lib, ... }: {
    config = {
      containers.tester = {
        autoStart = true;
        # localAddress = "10.0.0.14";
        additionalCapabilities = [ "CAP_NET_ADMIN" ];
        # privateNetwork = true;
        macvlans = [ "enp7s0" ];
        #hostBridge = "tester0";
        #hostAddress = "10.0.0.14";
        #privateNetwork = true;
        config = {
          imports = [ pkgs.moduleRegistry.authoritativeDns ];

          services.openssh.enable = true;

          users = let groupName = config.users.users.niten.group;
          in {
            users.niten = config.users.users.niten;
            groups."${groupName}" = config.users.groups."${groupName}";
          };

          services.authoritative-dns = {
            enable = true;
            identity = "ns.sea.fudo.org";
            listen-ips = [ "10.0.0.14" ];
            state-directory = "/var/lib/nsd";
            timestamp = toString config.instance.build-timestamp;
            domains = {
              "sea.fudo.org" = { zone = config.fudo.zones."sea.fudo.org"; };
            };
          };

          networking = {
            defaultGateway = pkgs.lib.getHostGatewayV4 hostname;
            firewall = {
              enable = true;
              allowedTCPPorts = [ 22 53 ];
              allowedUDPPorts = [ 53 ];
            };
            # interfaces.eth0 = {
            #   ipv4.addresses = [{
            #     address = "10.0.0.14";
            #     prefixLength = 24;
            #   }];
            # };
            interfaces.mv-enp7s0.ipv4.addresses = [{
              address = "10.0.0.14";
              prefixLength = 24;
            }];
          };
        };
      };
    };
  };

in {
  imports = [ vmConfig ];

  config = {
    fudo = {
      slynk.enable = true;
      wallfly.location = "office";
    };

    networking = {
      defaultGateway = {
        address = pkgs.lib.getHostGatewayV4 hostname;
        interface = "intif0";
      };

      interfaces = {
        intif0 = {
          ipv4.addresses = [{
            address = pkgs.lib.getHostIpv4 hostname;
            prefixLength = 16;
          }];
        };
        # intif1.ipv4.addresses = [{
        #   address = "10.0.0.14";
        #   prefixLength = 32;
        # }];
      };
      firewall.enable = false;
    };

    systemd.tmpfiles.rules = [
      "L /root/.gnupg           - - - - ${state-dir}/user/root/gnupg"
      "L /root/.ssh/id_rsa      - - - - ${state-dir}/user/root/ssh/id_rsa"
      "L /root/.ssh/id_rsa.pub  - - - - ${state-dir}/user/root/ssh/id_rsa.pub"
      "L /root/.ssh/known_hosts - - - - ${state-dir}/user/root/ssh/known_hosts"
      "L /var/lib/flatpak       - - - - ${state-dir}/lib/flatpak"
      "L /etc/adjtime           - - - - ${state-dir}/etc/adjtime"
      "d ${state-dir}/lib/cups  755 root root - -"
    ];

    services = {
      blueman.enable = true;

      openssh.hostKeys = [
        {
          path = "${state-dir}/ssh/ssh_host_rsa_key";
          type = "rsa";
          bits = 4096;
        }
        {
          path = "${state-dir}/ssh/ssh_host_ed25519_key";
          type = "ed25519";
        }
      ];
    };

    fileSystems = {
      "/var/lib/cups" = {
        device = "${state-dir}/lib/cups";
        options = [ "bind" ];
      };
    };

    fonts.fontconfig = {
      hinting = {
        enable = true;
        style = "full";
      };
      subpixel.lcdfilter = "default";
      antialias = true;
    };

    environment.etc = {
      nixos.source = "/etc/nixos-live";
      NIXOS.source = "${state-dir}/etc/NIXOS";
    };

    hardware = {
      bluetooth = {
        enable = true;
        package = pkgs.bluez;
      };
      xpadneo.enable = true;
    };
  };
}