with import <stockholm/lib>;
{ config, pkgs, ... }:
let
  out = {
    options.krebs.tinc = api;
    config = imp;
  };

  api = mkOption {
    default = {};
    description = ''
      define a tinc network
    '';
    type = types.attrsOf (types.submodule (tinc: {
      options = let
        netname = tinc.config._module.args.name;
      in {

        enable = mkEnableOption "krebs.tinc.${netname}" // { default = true; };
        enableLegacy = mkEnableOption "/etc/tinc/${netname}";

        confDir = mkOption {
          type = types.package;
          default = pkgs.linkFarm "${netname}-etc-tinc"
            (mapAttrsToList (name: path: { inherit name path; }) {
              "hosts" = tinc.config.hostsPackage;
              "tinc.conf" = pkgs.writeText "${netname}-tinc.conf" ''
                Name = ${tinc.config.host.name}
                Interface = ${netname}
                Broadcast = no
                ${concatMapStrings (c: "ConnectTo = ${c}\n") tinc.config.connectTo}
                ${optionalString (tinc.config.privkey_ed25519 != null)
                  "Ed25519PrivateKeyFile = ${tinc.config.privkey_ed25519.path}"
                }
                PrivateKeyFile = ${tinc.config.privkey.path}
                Port = ${toString tinc.config.host.nets.${netname}.tinc.port}
                ${tinc.config.extraConfig}
              '';
              "tinc-up" = pkgs.writeDash "${netname}-tinc-up" ''
                ${tinc.config.iproutePackage}/sbin/ip link set ${netname} up
                ${tinc.config.tincUp}
              '';
            });
        };

        host = mkOption {
          type = types.host;
          default = config.krebs.build.host;
        };

        netname = mkOption {
          type = types.enum (attrNames tinc.config.host.nets);
          default = netname;
          description = ''
            The tinc network name.
            It is used to name the TUN device and to generate the default value for
            <literal>config.krebs.tinc.retiolum.hosts</literal>.
          '';
        };

        extraConfig = mkOption {
          type = types.str;
          default = "";
          description = ''
            Extra Configuration to be appended to tinc.conf
          '';
        };
        tincUp = mkOption {
          type = types.str;
          default = let
            net = tinc.config.host.nets.${netname};
            iproute = tinc.config.iproutePackage;
          in ''
            ${optionalString (net.ip4 != null) /* sh */ ''
              ${iproute}/sbin/ip -4 addr add ${net.ip4.addr} dev ${netname}
              ${iproute}/sbin/ip -4 route add ${net.ip4.prefix} dev ${netname}
            ''}
            ${optionalString (net.ip6 != null) /* sh */ ''
              ${iproute}/sbin/ip -6 addr add ${net.ip6.addr} dev ${netname}
              ${iproute}/sbin/ip -6 route add ${net.ip6.prefix} dev ${netname}
            ''}
            ${tinc.config.tincUpExtra}
          '';
          description = ''
            tinc-up script to be used. Defaults to setting the
            krebs.host.nets.<netname>.ip4 and ip6 for the new ips and
            configures forwarding of the respecitive netmask as subnet.
          '';
        };

        tincUpExtra = mkOption {
          type = types.str;
          default = "";
        };

        tincPackage = mkOption {
          type = types.package;
          default = pkgs.tinc;
          description = "Tincd package to use.";
        };

        hosts = mkOption {
          type = with types; attrsOf host;
          default =
            filterAttrs (_: h: hasAttr tinc.config.netname h.nets) config.krebs.hosts;
          description = ''
            Hosts to generate <literal>config.krebs.tinc.retiolum.hostsPackage</literal>.
            Note that these hosts must have a network named
            <literal>config.krebs.tinc.retiolum.netname</literal>.
          '';
        };

        hostsArchive = mkOption {
          type = types.package;
          default = pkgs.runCommand "retiolum-hosts.tar.bz2" {
            nativeBuildInputs = [ pkgs.gnutar pkgs.coreutils ];
          } ''
            cp \
                --no-preserve=mode \
                --recursive \
                ${tinc.config.hostsPackage} \
                hosts
            tar -cjf $out hosts
          '';
          readOnly = true;
        };

        hostsPackage = mkOption {
          type = types.package;
          default = pkgs.stdenv.mkDerivation {
            name = "${tinc.config.netname}-tinc-hosts";
            phases = [ "installPhase" ];
            installPhase = ''
              mkdir $out
              ${concatStrings (mapAttrsToList (_: host: ''
                echo ${shell.escape host.nets."${tinc.config.netname}".tinc.config} \
                  > $out/${shell.escape host.name}
              '') tinc.config.hosts)}
            '';
          };
          description = ''
            Package of tinc host configuration files.  By default, a package will
            be generated from <literal>config.krebs.${tinc.config.netname}.hosts</literal>.  This
            option's main purpose is to expose the generated hosts package to other
            modules, like <literal>config.krebs.tinc_graphs</literal>.  But it can
            also be used to provide a custom hosts directory.
          '';
          example = literalExample ''
            (pkgs.stdenv.mkDerivation {
              name = "my-tinc-hosts";
              src = /home/tv/my-tinc-hosts;
              installPhase = "cp -R . $out";
            })
          '';
        };

        iproutePackage = mkOption {
          type = types.package;
          default = pkgs.iproute;
          description = "Iproute2 package to use.";
        };

        privkey = mkOption {
          type = types.secret-file;
          default = {
            name = "${tinc.config.netname}.rsa_key.priv";
            path = "${tinc.config.user.home}/tinc.rsa_key.priv";
            owner = tinc.config.user;
            source-path = toString <secrets> + "/${tinc.config.netname}.rsa_key.priv";
          };
        };

        privkey_ed25519 = mkOption {
          type = types.nullOr types.secret-file;
          default =
            if config.krebs.hosts.${tinc.config.host.name}.nets.${tinc.config.netname}.tinc.pubkey_ed25519 == null then null else {
              name = "${tinc.config.netname}.ed25519_key.priv";
              path = "${tinc.config.user.home}/tinc.ed25519_key.priv";
              owner = tinc.config.user;
              source-path = toString <secrets> + "/${tinc.config.netname}.ed25519_key.priv";
            };
        };

        connectTo = mkOption {
          type = types.listOf types.str;
          ${if tinc.config.netname == "retiolum" then "default" else null} = [
            "gum"
            "ni"
            "prism"
          ];
          description = ''
            The list of hosts in the network which the client will try to connect
            to.  These hosts should have an 'Address' configured which points to a
            routeable IPv4 or IPv6 address.

            In stockholm this can be done by configuring:
              krebs.hosts.${connect-host}.nets.${netname?"retiolum"}.via.ip4.addr = external-ip
              krebs.hosts.${connect-host}.nets.${netname?"retiolum"}.tinc.port = 1655;
          '';
        };

        user = mkOption {
          type = types.user;
          default = {
            name = tinc.config.netname;
            home = "/var/lib/${tinc.config.user.name}";
          };
        };
      };
    }));
  };

  imp = {
    # TODO `environment.systemPackages = [ cfg.tincPackage cfg.iproutePackage ]` for each network,
    # avoid conflicts in environment if the packages differ

    krebs.secret.files =
      let
        ed25519_keys =
          filterAttrs
            (_: key: key != null)
            (mapAttrs'
              (netname: cfg:
                nameValuePair "${netname}.ed25519_key.priv" cfg.privkey_ed25519
              )
              config.krebs.tinc);

        rsa_keys =
          mapAttrs'
            (netname: cfg: nameValuePair "${netname}.rsa_key.priv" cfg.privkey)
            config.krebs.tinc;
      in
        ed25519_keys // rsa_keys;

    users.users = mapAttrs' (netname: cfg:
      nameValuePair "${netname}" {
        inherit (cfg.user) home name uid;
        createHome = true;
        isSystemUser = true;
      }
    ) config.krebs.tinc;

    environment.etc = mapAttrs' (netname: cfg:
      nameValuePair "tinc/${netname}" (mkIf cfg.enableLegacy {
        source = cfg.confDir;
      })
    ) config.krebs.tinc;

    systemd.services = mapAttrs (netname: cfg:
      let
        tinc = cfg.tincPackage;
        iproute = cfg.iproutePackage;
      in {
        description = "Tinc daemon for ${netname}";
        after = [
          "network.target"
          config.krebs.secret.files."${netname}.rsa_key.priv".service
        ] ++ optionals (cfg.privkey_ed25519 != null) [
          config.krebs.secret.files."${netname}.ed25519_key.priv".service
        ];
        partOf = [
          config.krebs.secret.files."${netname}.rsa_key.priv".service
        ] ++ optionals (cfg.privkey_ed25519 != null) [
          config.krebs.secret.files."${netname}.ed25519_key.priv".service
        ];
        wantedBy = [ "multi-user.target" ];
        path = [ tinc iproute ];
        serviceConfig = rec {
          Restart = "always";
          ExecStart = "${tinc}/sbin/tincd -c ${cfg.confDir} -d 0 -U ${cfg.user.name} -D --pidfile=/var/run/tinc.${SyslogIdentifier}.pid";
          SyslogIdentifier = netname;
        };
      }
    ) config.krebs.tinc;
  };
in out