{ config, pkgs, lib, ... }:

let
  coreAddress = "172.20.72.40";
  corePrefixlen = 26;
  meshInterface = "bmx";
  meshLoopback = "bmx_prime";
  ddmeshRegisterUrl = "https://register.freifunk-dresden.de/bot.php";
  secrets = import <secrets/hosts/freifunk>;
  ddmeshRegisterKey = secrets.ddmeshRegisterKey;
  ddmeshNode = 51073;
  ddmeshAddrPart = "200.74";
  rt_table = 7;
in {
  imports = [
    <nixpkgs/nixos/modules/profiles/minimal.nix>
    <lib>
    <lib/lxc-container.nix>
    <lib/shared.nix>
  ];

  c3d2 = {
    isInHq = false;
    enableHail = false;
    hq.statistics.enable = true;
  };
  services.collectd.plugins.protocols = "";

  networking.hostName = "freifunk";
  networking.useNetworkd = true;
  networking.nameservers = [ "172.20.73.8" "9.9.9.9" ];
  networking.firewall.enable = false;
  networking.nat = {
    enable = true;
    externalInterface = meshInterface;
    #internalInterfaces = [ "core" ];
    extraCommands = ''
      set +e
      ${pkgs.iproute}/bin/ip rule add to 10.200.0.0/16 table bmx priority 300
      ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING \
        \! --source 10.200.0.0/15 -o ${meshInterface} -j SNAT --to 10.200.${ddmeshAddrPart}
      set -e
    '';
  };
  networking.iproute2 = {
    enable = true;
    rttablesExtraConfig = "${toString rt_table} bmx";
  };

  # Required for krops
  services.openssh.enable = true;
  environment.systemPackages = with pkgs; [ git tcpdump ];

  systemd.network = {
    netdevs = {
      bmx_prime = {
        enable = true;
        netdevConfig = {
          Kind = "bridge";
          Name = meshLoopback;
        };
      };
    };
    networks = {
      "10-bmx" = {
        enable = true;
        matchConfig = { Name = meshInterface; };
        addresses = [ {
          addressConfig = {
            Address = "10.201.${ddmeshAddrPart}/16";
            Broadcast = "10.255.255.255";
          };
        } ];
      };
      "11-bmx-loopback" = {
        enable = true;
        matchConfig = { Name = meshLoopback; };
        addresses = [ {
          addressConfig = {
            Address = "10.200.${ddmeshAddrPart}/32";
            Broadcast = "10.255.255.255";
          };
        } ];
      };
      "20-core" = {
        enable = true;
        matchConfig = { Name = "core"; };
        addresses = [ {
          addressConfig = {
            Address = "${coreAddress}/${toString corePrefixlen}";
          };
        } {
          addressConfig = {
            Address = "2a02:8106:208:5281:8000::1/64";
          };
        } {
          addressConfig = {
            Address = "fd23:42:c3d2:581:8000::1/64";
          };
        } ];
        routes = [ {
          routeConfig = {
            # upstream1
            Gateway = "2a02:8106:208:5281::b:0";
          };
        } {
          routeConfig = {
            # anon1
            Gateway = "172.20.72.7";
          };
        } ];
      };
    };
  };
  systemd.services.bmxd =
    let
      bmxd = import (toString <lib/pkgs/bmxd.nix>) { inherit pkgs; };
    in {
      after = [ "systemd-networkd.service" ];
      wantedBy = [ "network.target" ];
      serviceConfig = {
        ExecStart = ''
          ${bmxd}/sbin/bmxd \
            --rt_table_offset=${toString rt_table} \
            --no_fork 1 \
            --throw-rules 0 \
            --prio-rules 0 \
            dev=bmx_prime /linklayer 0 \
            dev=${meshInterface} /linklayer 1
        '';
        Restart = "always";
      };
    };
  systemd.services.ddmesh-register-node = {
    script = ''
      ${pkgs.curl}/bin/curl \
        -o /tmp/ddmesh-registration.json \
        '${ddmeshRegisterUrl}?registerkey=${ddmeshRegisterKey}&node=${toString ddmeshNode}'
    '';
    serviceConfig = {
      User = "nobody";
      Group = "nogroup";
    };
  };
  systemd.timers.ddmesh-register-node = {
    partOf      = [ "ddmesh-register-node.service" ];
    wantedBy    = [ "timers.target" ];
    timerConfig.OnCalendar = "daily";
  };

  services.bird2 = {
    enable = true;
    config = ''
        protocol kernel K4 {
          ipv4 {
            export all;
          };
        }
        protocol kernel K6 {
          ipv6 {
            export all;
          };
        }
        protocol device {
          scan time 10;
        }

        protocol ospf v2 ZW4 {
          area 0 {
            networks {
              172.20.72.0/21;
            };
            stubnet 10.200.0.0/16;
            interface "core" {
              authentication cryptographic;
              password "${import <secrets/shared/ospf/message-digest-key.nix>}";
            };
          };
        }

        protocol ospf v3 ZW6 {
          area 0 {
            networks {
              fd23:42:c3d2:500::/56;
              2a02:8106:208:5200::/56;
              2a02:8106:211:e900::/56;
            };
            interface "core" {
              #authentication cryptographic;
              #password "${import <secrets/shared/ospf/message-digest-key.nix>}";
            };
          };
        }

        router id ${coreAddress};
      '';
  };

  # This value determines the NixOS release with which your system is to be
  # compatible, in order to avoid breaking some software such as database
  # servers. You should change this only after NixOS release notes say you
  # should.
  system.stateVersion = "20.03"; # Did you read the comment?
}