{ self, nixpkgs, system }:
with nixpkgs.lib;
let
  pkgs = nixpkgs.legacyPackages.${system};
  config = self.lib.config;
  
  templates = role: {
    ap = _: ../../salt/cpe/ap.sh;
    switch = model: ../../salt/switches + "/${model}.expect";
  }.${role};
  replaceNetmasks = template:
    builtins.toFile (builtins.baseNameOf template) (
      builtins.replaceStrings [''{%- import_yaml "netmasks.yaml" as netmasks -%}''] [""] (
        builtins.readFile template
      )
    );
  expandTemplate = name: template: data:
    self.lib.expandSaltTemplate name (replaceNetmasks template) data;

  device-scripts =
    builtins.mapAttrs (hostname: { role, model, ... }:
      expandTemplate "${hostname}.sh" (templates role model) ({
        inherit hostname;
        pillar = config.salt-pillar;
        netmasks = self.lib.netmasks;
        logging = config.salt-pillar.hosts-inet.mgmt.logging;
      } // optionalAttrs (config.salt-pillar.switches ? ${hostname}) {
        switch = config.salt-pillar.switches.${hostname};
      } // optionalAttrs (config.salt-pillar.cpe ? ${hostname}) {
        conf = config.salt-pillar.cpe.${hostname};
      })
    ) (filterAttrs (_: { role, ... }:
      role == "ap" || role == "switch"
    ) config.site.hosts);

  all-device-scripts =
    pkgs.runCommandLocal "all-device-scripts" {} (
      ''
        mkdir -p $out/bin
      '' +
      builtins.concatStringsSep "\n" (
        map (hostname:
          "ln -s ${config.site.device-scripts.${hostname}} $out/bin/${hostname}.sh"
        ) (builtins.attrNames config.site.device-scripts)
      )
    );
in
{
  inherit all-device-scripts;
} // device-scripts