state-version: { pkgs, ... }:
let secrets = import ./secrets/secrets.nix;
    services = with builtins;
      map (s: import (./services + "/${s}") { inherit pkgs; })
          (filter (s: ! isNull (match ".*\.nix" s)) 
                  (attrNames (readDir ./services)));
    lib = import ./lib.nix;
in

lib.foldMap ({ name, ip, config, ports, ... }: 
{
  containers.${name} = {
    autoStart = true;
    ephemeral = true;
    privateNetwork = true;
    hostAddress = ip.host;
    localAddress = ip.local;
    config = config // {
      boot.isContainer = true;
      networking.hostName = "${name}";
      networking.useDHCP = false;

      networking.firewall.enable = true;
      networking.firewall.allowedTCPPorts = ports.tcp;
      networking.firewall.allowedUDPPorts = ports.udp;

      system.stateVersion = state-version;
    };
  };
}
) services

//

{
  # [NGINX]
  services.nginx = {
    enable = true;
    recommendedProxySettings = true;
    virtualHosts =
      lib.foldMap ({ ip, ports, hosts, ... }: 
        lib.foldMap (host: 
        {
          "${host}" = {
            locations."/".proxyPass = "http://${ip.local}:${builtins.toString ports.http}";
          };
        }
        ) hosts
      ) services;
  };

  # [NETWORK]
  networking.firewall.allowedTCPPorts = [ 80 ];
  networking.firewall.allowedUDPPorts = [ ];
  networking.hostName = "cafe";

  # VM test user
  users.users.admin.isNormalUser = true;
  users.users.admin.hashedPassword = pkgs.lib.removeSuffix "\n" 
    (builtins.readFile ./secrets/admin_password);
  users.users.admin.group = "admin";
  users.groups.admin = {};

  system.stateVersion = state-version;

}