{ config, lib, pkgs, ... }:

with lib;

  krebs.enable = true;

  krebs.build = {
    user = config.krebs.users.tv;
    target = mkDefault "root@${config.krebs.build.host.name}";
    source = mapAttrs (_: mkDefault) ({
      nixos-config = "symlink:stockholm/tv/1systems/${config.krebs.build.host.name}.nix";
      nixpkgs = symlink:stockholm/nixpkgs;
      secrets = "/home/tv/secrets/${config.krebs.build.host.name}";
      secrets-common = "/home/tv/secrets/common";
      stockholm = "/home/tv/stockholm";
      stockholm-user = "symlink:stockholm/tv";
      upstream-nixpkgs = {
        url = https://github.com/NixOS/nixpkgs;
        rev = "77f8f35d57618c1ba456d968524f2fb2c3448295";
        dev = "/home/tv/nixpkgs";
    } // optionalAttrs config.krebs.build.host.secure {
      secrets-master = "/home/tv/secrets/master";

  networking.hostName = config.krebs.build.host.name;

  imports = [
      # stockholm dependencies
      environment.systemPackages = with pkgs; [
      users = {
        defaultUserShell = "/run/current-system/sw/bin/bash";
        mutableUsers = false;
        users = {
          tv = {
            isNormalUser = true;
            uid = 1337;
      security.sudo.extraConfig = ''
        Defaults mailto="${config.krebs.users.tv.mail}"
      time.timeZone = "Europe/Berlin";
      # TODO check if both are required:
      nix.chrootDirs = [ "/etc/protocols" pkgs.iana_etc.outPath ];

      nix.trustedBinaryCaches = [

      nix.useChroot = true;
      nixpkgs.config.allowUnfree = false;
      environment.profileRelativeEnvVars.PATH = mkForce [ "/bin" ];

      environment.systemPackages = with pkgs; [

      environment.shellAliases = mkForce {
        # alias cal='cal -m3'
        gp = "${pkgs.pari}/bin/gp -q";
        df = "df -h";
        du = "du -h";
        # alias grep='grep --color=auto'

        # TODO alias cannot contain #\'
        # "ps?" = "ps ax | head -n 1;ps ax | fgrep -v ' grep --color=auto ' | grep";

        # alias la='ls -lA'
        lAtr = "ls -lAtr";
        # alias ll='ls -l'
        ls = "ls -h --color=auto --group-directories-first";
        dmesg = "dmesg -L --reltime";
        view = "vim -R";

        reload = "systemctl reload";
        restart = "systemctl restart";
        start = "systemctl start";
        status = "systemctl status";
        stop = "systemctl stop";

      environment.variables = {
        NIX_PATH = mkForce "secrets=/var/src/stockholm/null:/var/src";

      programs.bash = {
        interactiveShellInit = ''

          shopt -s checkhash
          shopt -s histappend histreedit histverify
          shopt -s no_empty_cmd_completion
          complete -d cd

          ${readFile ./bash_completion.sh}

          # TODO source bridge
        promptInit = ''
          case $UID in
              PS1='\[\e[1;31m\]\w\[\e[0m\] '
              PS1='\[\e[1;32m\]\w\[\e[0m\] '
              PS1='\[\e[1;35m\]\u \[\e[1;32m\]\w\[\e[0m\] '
          if test -n "$SSH_CLIENT"; then
            PS1='\[\e[35m\]\h'" $PS1"
          if test -n "$SSH_AGENT_PID"; then
            PS1="ssh-agent[$SSH_AGENT_PID] $PS1"

      programs.ssh = {
        extraConfig = ''
          UseRoaming no
        startAgent = false;

      services.cron.enable = false;
      services.nscd.enable = false;
      services.ntp.enable = false;

      boot.kernel.sysctl = {
        # Enable IPv6 Privacy Extensions
        "net.ipv6.conf.all.use_tempaddr" = 2;
        "net.ipv6.conf.default.use_tempaddr" = 2;

      tv.iptables.enable = true;

      services.openssh = {
        enable = true;
        hostKeys = [
          { type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; }
      tv.iptables.input-internet-accept-new-tcp = singleton "ssh";

      # TODO: exim
      security.setuidPrograms = [
        "sendmail"  # for sudo
      systemd.tmpfiles.rules = let
        forUsers = flip map users;
        isUser = { name, group, ... }:
          name == "root" || hasSuffix "users" group;
        users = filter isUser (mapAttrsToList (_: id) config.users.users);
      in forUsers (u: "d /run/xdg/${u.name} 0700 ${u.name} ${u.group} -");
      environment.variables.XDG_RUNTIME_DIR = "/run/xdg/$LOGNAME";