state-version: { pkgs, ... }:
let services = with builtins;
      let services_no_ip =
        map (s: import (./services + "/${s}") { inherit pkgs; })
            (filter (s: ! isNull (match ".*\.nix" s)) 
                    (attrNames (readDir ./services)));
      in genList (i: elemAt services_no_ip i // { ip = "10.10.0.${toString (i+2)}"; }) (length services_no_ip);

    lib = import ./lib.nix;
    secrets = import ./secrets/secrets.nix;

    hostIp = "10.10.0.1";
in

{ 
  containers = 
lib.foldMap ({ name, config, ip, ports, ... }: 
{
  ${name} = {
      autoStart = true;
      ephemeral = true;
      privateNetwork = true;
      hostAddress = hostIp;
      localAddress = ip;
      config = config // {
        boot.isContainer = true;

        networking = {
          hostName = "${name}";

          hosts = lib.foldMap ({ name, ip, ...}:
            { "${ip}" = [ "${name}.containers" "${name}" ]; }
          ) services;

          firewall.enable = true;
          firewall.allowedTCPPorts = ports.tcp;
          firewall.allowedUDPPorts = ports.udp;
        };

        system.stateVersion = state-version;
      };
    };
}
) services;
}

//

{
  # [NGINX]
  services.nginx = {
    enable = true;
    recommendedProxySettings = true;
    virtualHosts =
      lib.foldMap ({ ports, hosts, ip, ... }: 
        lib.foldMap (host: 
          if (builtins.isNull ports.http) 
            then {}
            else {
              "${host}" = {
                locations."/".proxyPass = 
                  "http://${ip}:${builtins.toString ports.http}";
              };
            }
        ) hosts
      ) services;
  };

  # [SSHD]
  services.openssh = {
    enable = true;
    settings = {
      PermitRootLogin = "no";
      PasswordAuthentication = false;
    };
  };

  # [NETWORK]
  networking = {
    hostName = "cafe";

    firewall.allowedTCPPorts = [ 22 80 443 ];
    firewall.allowedUDPPorts = [ ];

    nat = {
      enable = true;
      internalInterfaces = ["ve-+"];
      externalInterface = "lo";
    };
  };

  # [USER]
  users.users.admin = {
    isNormalUser = true;
    group = "admin";
    extraGroups = [ "wheel" ];
    hashedPassword = pkgs.lib.removeSuffix "\n" 
      (builtins.readFile ./secrets/admin_password);
    openssh.authorizedKeys.keyFiles = [ ./secrets/id_ed25519.pub ];
  };
  users.groups.admin = {};

  # [SOFTWARE]
  programs.bash.interactiveShellInit = ''
    set -o vi
  '';

  # [NIX]
  nix = {
    settings = {
      experimental-features = [ "nix-command" "flakes" ];
      auto-optimise-store = true;
    };
    gc = {
      automatic = true;
      dates = "monthly";
      options = "--delete-older-than 30d";
    };
  };

  security.sudo.enable = false;
  security.doas.enable = true;

  system.stateVersion = state-version;

}