state-version: { pkgs, ... }:
let lib = import ./lib.nix { inherit pkgs; };
    services = with builtins;
      let services_no_ip =
        map (s: import (./services + "/${s}") { inherit pkgs lib; })
            (filter (s: ! isNull (match ".*\.nix" s)) 
                    (attrNames (readDir ./services)));
      in genList (i: elemAt services_no_ip i // { ip = "10.10.0.${toString (i+2)}"; }) (length services_no_ip);

    secrets = import ./secrets/secrets.nix;

    hostIp = "10.10.0.1";
    hostVolumeDir = "/var/lib/container-storage/";
in

{ 
  containers = 
lib.flatMap ({ name, config, ip, ports, volumes, ... }: 
{
  ${name} = {
      autoStart = true;
      ephemeral = true;
      privateNetwork = true;
      hostAddress = hostIp;
      localAddress = ip;
      bindMounts = lib.flatMap (volume@{ name, mountPoint }:
      {
        "${name}" = {
          inherit mountPoint;
          isReadOnly = if volume ? readOnly then volume.readOnly else false;
          hostPath = hostVolumeDir + name;
        };
      }
      ) volumes;
      forwardPorts = builtins.map ({ container, host, proto }: {
        containerPort = container;
        hostPort = host;
        protocol = proto;
      }) ports.forward;
      config = config // {
        boot.isContainer = true;

        networking = {
          hostName = "${name}";

          hosts = lib.flatMap ({ name, ip, ...}:
            { "${ip}" = [ "${name}.containers" "${name}" ]; }
          ) services;

          firewall.enable = true;
          firewall.allowedTCPPorts = ports.tcp;
          firewall.allowedUDPPorts = ports.udp;
        };

        system.stateVersion = state-version;
      };
    };
}
) services;
}

//


{

  imports = builtins.map (service:
    if service ? hostConfig
      then service.hostConfig
      else {}) services;

  system.activationScripts.makeBindMounts = with builtins;
    lib.flatMapS (name: ''
      mkdir -p ${hostVolumeDir + name}
    '') 
    (concatMap (s: map (v: v.name) s.volumes) services);

  # [NGINX]
  services.nginx = {
    enable = true;
    recommendedProxySettings = true;
    virtualHosts =
      lib.flatMap ({ ports, hosts, ip, ... }: 
        lib.flatMap (host: 
          if (builtins.isNull ports.http) 
            then {}
            else {
              "${host}" = {
                locations."/".proxyPass = 
                  "http://${ip}:${builtins.toString ports.http}";
              };
            }
        ) hosts
      ) services;
  };

  # [SSHD]
  services.openssh = {
    enable = true;
    ports = [ 222 ];
    settings = {
      PermitRootLogin = "no";
      PasswordAuthentication = false;
    };
  };

  # [NETWORK]
  networking = {
    hostName = "cafe";

    firewall.allowedTCPPorts = [ 22 222 80 443 ];
    firewall.allowedUDPPorts = [ ];

    nat = {
      enable = true;
      internalInterfaces = ["ve-+"];
      externalInterface = "lo";
    };
  };

  # [USER]
  users.users.admin = {
    isNormalUser = true;
    group = "admin";
    extraGroups = [ "wheel" ];
    hashedPassword = pkgs.lib.removeSuffix "\n" 
      (builtins.readFile ./secrets/admin_password);
    openssh.authorizedKeys.keyFiles = [ ./secrets/id_ed25519.pub ];
  };
  users.groups.admin = {};

  # [SOFTWARE]
  programs.bash.interactiveShellInit = ''
    set -o vi
  '';

  # [NIX]
  nix = {
    settings = {
      experimental-features = [ "nix-command" "flakes" ];
      auto-optimise-store = true;
    };
    gc = {
      automatic = true;
      dates = "monthly";
      options = "--delete-older-than 30d";
    };
  };

  security.sudo.enable = false;
  security.doas.enable = true;

  system.stateVersion = state-version;

}