{ zentralwerk, hostRegistry, config, lib, ... }:
let
  inherit (config.networking) hostName;

  # hydra does *not* use this module because it only runs a nomad
  # server but no client and no microvms
  servers = [ "server8" "server9" "server10" "hydra" ];
  microvmServers = [ "server8" "server9" "server10" ];
  storageServers = [ "server8" "server9" ];

  serverNet = server:
    builtins.foldl' (result: net:
      if result == null &&
         zentralwerk.lib.config.site.net.${net}.hosts4 ? ${server}
      then net
      else result
    ) null [ "cluster" "serv" ];
in {
  # Open firewall between cluster members
  networking.firewall.extraCommands = lib.concatMapStrings
    (server:
      let
        netConfig = zentralwerk.lib.config.site.net.${serverNet server};
      in
        lib.optionalString (server != hostName) ''
          iptables -A nixos-fw --source ${netConfig.hosts4.${server}} -j ACCEPT
          ${lib.concatMapStrings (hosts6: ''
            ip6tables -A nixos-fw --source ${hosts6.${server}} -j ACCEPT
          '') (builtins.attrValues netConfig.hosts6)}
        ''
      )
    servers;

  # Cluster configuration
  skyflake = {
    # debug = true;
    nodes = builtins.listToAttrs (
      map (name: {
        inherit name;
        value.address = hostRegistry.${name}.ip4;
      }) servers
    );
    # Extra nomad configuration
    nomad = {
      datacenter = "c3d2";
      inherit servers;
      # run tasks only on these:
      client.enable = builtins.elem hostName microvmServers;
      client.meta = lib.optionalAttrs (builtins.elem hostName storageServers) {
        "c3d2.storage" = "big";
      };
    };
    # The user that runs skyflake MicroVMs
    microvmUid = 997;

    users = {
      # Deployment user for hosts in this flake
      c3d2 = {
        uid = 1001;
        sshKeys = config.users.users.root.openssh.authorizedKeys.keys;
      };
      # Deployment user for leon who also uses this flake
      leon = {
        uid = 1002;
        sshKeys = with (import ../../ssh-public-keys.nix).users;
          leon ++
          astro;
      };
    };

    deploy.customizationModule = ./deployment.nix;

    # Ceph storage cluster configuration
    storage.ceph = rec {
      fsid = "a06b1061-ef09-46d6-a15f-2f8ce4d7d1bf";
      mons = [ "server8" "server9" "server10" ];
      mgrs = mons;
      mdss = mons;

      monKeyring = config.sops.secrets."ceph/monKeyring".path;
      adminKeyring = config.sops.secrets."ceph/adminKeyring".path;
    };
  };

  # Ceph keyrings
  sops.secrets = {
    "ceph/monKeyring" = {
      owner = "ceph";
      sopsFile = ../../config/ceph.yaml;
    };
    "ceph/adminKeyring" = {
      owner = "ceph";
      sopsFile = ../../config/ceph.yaml;
    };
  };

  # Collectd monitoring for ceph
  services.collectd.plugins.ceph = ''
    ConvertSpecialMetricTypes true

    ${lib.concatMapStrings (hostName: ''
      <Daemon "mon.${hostName}">
        SocketPath "/var/run/ceph/ceph-mon.${hostName}.asok"
      </Daemon>
    '') config.services.ceph.mon.daemons}
    ${lib.concatMapStrings (hostName: ''
      <Daemon "mgr.${hostName}">
        SocketPath "/var/run/ceph/ceph-mgr.${hostName}.asok"
      </Daemon>
    '') config.services.ceph.mgr.daemons}
    ${lib.concatMapStrings (hostName: ''
      <Daemon "mds.${hostName}">
        SocketPath "/var/run/ceph/ceph-mds.${hostName}.asok"
      </Daemon>
    '') config.services.ceph.mds.daemons}
    ${lib.concatMapStrings (id: ''
      <Daemon "osd.${id}">
        SocketPath "/var/run/ceph/ceph-osd.${id}.asok"
      </Daemon>
    '') config.services.ceph.osd.daemons}
  '';
  # HACK: let collectd access ceph sockets
  systemd.services.collectd.serviceConfig.User = lib.mkForce "ceph";
}