{ tftproots, hostRegistry, lib, pkgs, ... }:
let
  tftpRoot = pkgs.runCommand "tftproot" {} ''
    mkdir $out

    cp -sr ${tftproots.rpi-netboot-tftproot}/* $out/
    ${lib.concatMapStrings (host: ''
      ln -s /var/lib/nfsroot/dacbert/boot $out/${hostRegistry.hosts.${host}.serial}
    '') (
      builtins.attrNames (
        lib.filterAttrs (_: { serial ? null, ... }: serial != null)
          hostRegistry.hosts
      )
    )}
  '';
in
{
  networking.firewall.enable = false;

  # raspberrypi boot
  services.atftpd = {
    enable = true;
    root = tftpRoot;
  };
  # share /nix/store via NFS read-only
  services.nfs.server = {
    enable = true;
    exports =
      let
        allowed = [
          "172.22.99.0/24"
          "172.20.72.0/21"
          "30c:c3d2:b946:76d0::/64"
          "2a00:8180:2c00:200::/56"
          "fd23:42:c3d2:500::/56"
        ];
        opts = o: fsid:
          lib.concatStringsSep "," [
            o "async"
            "no_subtree_check" "no_root_squash"
            "fsid=${toString fsid}"
          ];
      in ''
        /nix/store ${
          lib.concatMapStringsSep " " (subnet:
            "${subnet}(${opts "ro" 0})"
          ) allowed
        }
    '';
  };
}