{ config, lib, ... }: let
  slib = import ../../lib/pure.nix { inherit lib; };

  r6 = ip: (slib.krebs.genipv6 "retiolum" "lass" ip).address;
  w6 = ip: (slib.krebs.genipv6 "wiregrill" "lass" ip).address;
  hostFiles =
    builtins.map (lib.removeSuffix ".nix") (
      builtins.filter
        (x: lib.hasSuffix ".nix" x && x != "default.nix")
        (lib.attrNames (builtins.readDir ./.))
    );

in {
  dns.providers = {
    "lassul.us" = "zones";
  };
  hosts = lib.mapAttrs (_: lib.recursiveUpdate {
    owner = config.krebs.users.lass;
    consul = true;
    ci = true;
    monitoring = true;
    ssh.privkey.path = <secrets/ssh.id_ed25519>;
  }) (
    lib.genAttrs hostFiles (host: import (./. + "/${host}.nix") {
      inherit config lib r6 w6;
      inherit (slib) krebs;
    })
  );
  users = rec {
    lass = lass-yubikey;
    lass-yubikey = {
      mail = "lass@green.r";
      pubkey = builtins.readFile ./ssh/yubikey.rsa;
      pgp.pubkeys.default = builtins.readFile ./pgp/yubikey.pgp;
    };
    lass-blue = {
      mail = "lass@blue.r";
      pubkey = builtins.readFile ./ssh/blue.rsa;
    };
    lass-green = {
      mail = "lass@green.r";
      pubkey = builtins.readFile ./ssh/green.ed25519;
    };
    lass-red = {
      mail = "lass@red.r";
      pubkey = builtins.readFile ./ssh/red.ed25519;
    };
    lass-mors = {
      mail = "lass@mors.r";
      pubkey = builtins.readFile ./ssh/mors.rsa;
      pgp.pubkeys.default = builtins.readFile ./pgp/mors.pgp;
    };
    lass-android = {
      mail = "lassulus@gmail.com";
      pubkey = builtins.readFile ./ssh/android.ed25519;
    };
    lass-tablet = {
      pubkey = builtins.readFile ./ssh/tablet.ed25519;
    };
  };
}