{ config, lib, ... }:

with import <stockholm/lib>;
  cfg = config.krebs;

  out = {
    imports = [
    options.krebs = api;
    config = lib.mkIf cfg.enable imp;

  api = {
    enable = mkEnableOption "krebs";

    dns = {
      providers = mkOption {
        type = with types; attrsOf str;

    hosts = mkOption {
      type = with types; attrsOf host;

    users = mkOption {
      type = with types; attrsOf user;

    # XXX is there a better place to define search-domain?
    # TODO search-domains :: listOf hostname
    search-domain = mkOption {
      type = types.hostname;
      default = "retiolum";
    zone-head-config  = mkOption {
      type = with types; attrsOf str;
      description = ''
        The zone configuration head which is being used to create the
        zone files. The string for each key is pre-pended to the zone file.
        # TODO: configure the default somewhere else,
        # maybe use krebs.dns.providers
      default = {

        # github.io ->
        "krebsco.de" = ''
          $TTL 86400
          @ IN SOA dns19.ovh.net. tech.ovh.net. (2015052000 86400 3600 3600000 86400)
                                IN NS     ns19.ovh.net.
                                IN NS     dns19.ovh.net.
                                IN A
                                IN A

  imp = lib.mkMerge [
    { krebs = import ./lass   { inherit config lib; }; }
    { krebs = import ./makefu { inherit config lib; }; }
    { krebs = import ./mv     { inherit config lib; }; }
    { krebs = import ./shared { inherit config lib; }; }
    { krebs = import ./tv     { inherit config lib; }; }
      krebs.dns.providers = {
        "krebsco.de" = "zones";
        gg23 = "hosts";
        shack = "hosts";
        i = "hosts";
        internet = "hosts";
        r = "hosts";
        retiolum = "hosts";

      krebs.users = {
        krebs = {
          home = "/krebs";
          mail = "spam@krebsco.de";
        root = {
          home = "/root";
          pubkey = config.krebs.build.host.ssh.pubkey;
          uid = 0;

      networking.extraHosts = let
        domains = attrNames (filterAttrs (_: eq "hosts") cfg.dns.providers);
        check = hostname: any (domain: hasSuffix ".${domain}" hostname) domains;
      in concatStringsSep "\n" (flatten (
        mapAttrsToList (hostname: host:
          mapAttrsToList (netname: net:
              aliases = longs ++ shorts;
              longs = filter check net.aliases;
              shorts = let s = ".${cfg.search-domain}"; in
                map (removeSuffix s) (filter (hasSuffix s) longs);
              map (addr: "${addr} ${toString aliases}") net.addrs
          ) (filterAttrs (name: host: host.aliases != []) host.nets)
        ) cfg.hosts

      # Implements environment.etc."zones/<zone-name>"
      environment.etc = let
        stripEmptyLines = s: (concatStringsSep "\n"
          (remove "\n" (remove "" (splitString "\n" s)))) + "\n";
        all-zones = foldAttrs (sum: current: sum + "\n" +current ) ""
          ([cfg.zone-head-config] ++ combined-hosts);
        combined-hosts = (mapAttrsToList (name: value: value.extraZones)  cfg.hosts );
      in lib.mapAttrs' (name: value: nameValuePair
        ("zones/" + name)
        { text=(stripEmptyLines value); }) all-zones;

      krebs.exim-smarthost.internet-aliases = let
        format = from: to: {
          inherit from;
          # TODO assert is-retiolum-mail-address to;
          to = concatMapStringsSep "," (getAttr "mail") (toList to);
      in mapAttrsToList format (with config.krebs.users; let
        eloop-ml = spam-ml ++ [ ciko Mic92 ];
        spam-ml = [
        ciko.mail = "wieczorek.stefan@gmail.com";
        Mic92.mail = "joerg@higgsboson.tk";
      in {
        "cfp@eloop.org" = eloop-ml;
        "kontakt@eloop.org" = eloop-ml;
        "root@eloop.org" = eloop-ml;
        "eloop2016@krebsco.de" = eloop-ml;
        "postmaster@krebsco.de" = spam-ml; # RFC 822
        "lass@krebsco.de" = lass;
        "makefu@krebsco.de" = makefu;
        "spam@krebsco.de" = spam-ml;
        "tv@krebsco.de" = tv;
        # XXX These are no internet aliases
        # XXX exim-retiolum hosts should be able to relay to retiolum addresses
        "lass@retiolum" = lass;
        "makefu@retiolum" = makefu;
        "spam@retiolum" = spam-ml;
        "tv@retiolum" = tv;
        "lass@r" = lass;
        "makefu@r" = makefu;
        "spam@r" = spam-ml;
        "tv@r" = tv;

      services.openssh.hostKeys =
        let inherit (config.krebs.build.host.ssh) privkey; in
        mkIf (privkey != null) (mkForce [privkey]);

      # TODO use imports for merging
      services.openssh.knownHosts =
        (let inherit (config.krebs.build.host.ssh) pubkey; in
          optionalAttrs (pubkey != null) {
            localhost = {
              hostNames = ["localhost" "" "::1"];
              publicKey = pubkey;
        # GitHub's IPv4 address range is
        # Refs https://help.github.com/articles/what-ip-addresses-does-github-use-that-i-should-whitelist/
        # = (1024 addresses)
        # Because line length is limited by OPENSSH_LINE_MAX (= 8192),
        # we split each /24 into its own entry.
        listToAttrs (map
          (c: {
            name = "github${toString c}";
            value = {
              hostNames = ["github.com"] ++
                map (d: "192.30.${toString c}.${toString d}") (range 0 255);
              publicKey = "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==";
          (range 252 255))
          (name: host: {
            hostNames =
                  (net-name: net:
                      longs = net.aliases;
                      shorts =
                        map (removeSuffix ".${cfg.search-domain}")
                            (filter (hasSuffix ".${cfg.search-domain}")
                      add-port = a:
                        if net.ssh.port != 22
                          then "[${a}]:${toString net.ssh.port}"
                          else a;
                    map add-port (shorts ++ longs ++ net.addrs))

            publicKey = host.ssh.pubkey;
          (filterAttrs (_: host: host.ssh.pubkey != null) cfg.hosts);

      programs.ssh.extraConfig = concatMapStrings
        (net: ''
          Host ${toString (net.aliases ++ net.addrs)}
            Port ${toString net.ssh.port}
          (net: net.ssh.port != 22)
          (concatMap (host: attrValues host.nets)
              (_: host: recursiveUpdate host
                (optionalAttrs (hasAttr config.krebs.search-domain host.nets) {
                  nets."" = host.nets.${config.krebs.search-domain} // {
                    aliases = [host.name];
                    addrs = [];

in out