{ config, lib, pkgs, ... }:

with import <stockholm/lib>;
{
  krebs.enable = true;
  krebs.tinc.retiolum.enable = true;

  # TODO rename shared user to "krebs"
  krebs.build.user = mkDefault config.krebs.users.shared;
  krebs.build.source = let inherit (config.krebs.build) host user; in {
    nixos-config.symlink = "stockholm/${user.name}/1systems/${host.name}.nix";
    nixpkgs.git = {
      url = https://github.com/NixOS/nixpkgs;
      ref = "58e227052d40021d82d015f3f8da011ae54ea430"; # nixos-17.03 @ 2017-05-24
    };
    secrets.file =
      if getEnv "dummy_secrets" == "true"
        then toString <stockholm/shared/6tests/data/secrets>
        else "${getEnv "HOME"}/secrets/krebs/${host.name}";
    stockholm.file = getEnv "PWD";
  };

  networking.hostName = config.krebs.build.host.name;

  nix.maxJobs = 1;
  nix.trustedBinaryCaches = [
    "https://cache.nixos.org"
    "http://cache.nixos.org"
    "http://hydra.nixos.org"
  ];
  nix.useSandbox = true;

  environment.systemPackages = with pkgs; [
    git
    rxvt_unicode.terminfo
  ];

  programs.ssh.startAgent = false;

  services.openssh = {
    enable = true;
    hostKeys = [
      { type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; }
    ];
  };
  services.cron.enable = false;
  services.nscd.enable = false;
  services.ntp.enable = false;

  users.mutableUsers = false;
  users.extraUsers.root.openssh.authorizedKeys.keys = [
    # TODO
    config.krebs.users.lass.pubkey
    config.krebs.users.makefu.pubkey
    # TODO HARDER:
    config.krebs.users.makefu-omo.pubkey
    config.krebs.users.tv.pubkey
  ];


  # The NixOS release to be compatible with for stateful data such as databases.
  system.stateVersion = "15.09";

}