{ self, nixpkgs, system, openwrt-imagebuilder }:

let
  inherit (self.lib) config;
  pkgs = nixpkgs.legacyPackages.${system};
  uciConfig = hostName: import ./uci-config.nix { inherit self pkgs hostName; };

  modelPackages = {
    "tplink_archer-c7-v2" = [
      "-kmod-ath10k-ct" "-ath10k-firmware-qca988x-ct"
      "kmod-ath10k" "ath10k-firmware-qca988x"
    ];
    "tplink_archer-c7-v5" = [
      "-kmod-ath10k-ct" "-ath10k-firmware-qca988x-ct"
      "kmod-ath10k" "ath10k-firmware-qca988x"
    ];
    "ubnt_unifiac-lite" = [
      "-kmod-ath10k-ct" "-ath10k-firmware-qca988x-ct"
      "kmod-ath10k" "ath10k-firmware-qca988x"
    ];
    "dir-615-d" = [
      # flash size reasons
      "-wpad-openssl"
      "-tcpdump"
      "wpad-wolfssl"
    ];
  };
in rec {
  sshScript = hostName:
    let
      address = config.site.net.mgmt.hosts4.${hostName};
    in ''
      #! ${pkgs.runtimeShell} -e

      ssh root@${address} "cat > /tmp/openwrt-image" < ${buildImage hostName}/openwrt-*-${hostName}-*-sysupgrade.bin
      ssh root@${address} "sysupgrade -n /tmp/openwrt-image" || true

      # ssh hostkey will have changed after boot
      ssh-keygen -R ${address}

      /run/wrappers/bin/ping ${address}
    '';

  buildImage = hostName:
    let
      inherit (config.site.hosts.${hostName}) model;
      matches = (openwrt-imagebuilder.lib.profiles {
        inherit pkgs;
      }).identifyProfiles model;
      fallbackProfile =
        if model == "dir-615-d"
        then (openwrt-imagebuilder.lib.profiles {
          inherit pkgs;
          release = "19.07.10";
        }).identifyProfile model
        else if builtins.match "tl-wr.*" model != null
        then {
          release = "18.06.9";
          packagesArch = "mips_24kc";
          target = "ar71xx";
          variant = "tiny";
          profile = model;
          sha256 = "109a2557gwmgib7r500qn9ygd8j4r4cv5jl5rpn9vczsm4ilkc1z";
          feedsSha256 = {
            base.sha256 = "0xklqsk6d5d6bai0ry2hzfjr4sycf6241ihv8v1lmmf9r7d47cr1";
            packages.sha256 = "05g048saibh304ndnlczyq92b1c67c3cqvbhdamw1xqbsp6jzifp";
          };
        }
        else null;
      build = args:
        openwrt-imagebuilder.lib.build (args // {
          extraImageName = "zw-${hostName}";
          packages = [
            # remove unused default .ipk
            "-dnsmasq" "-firewall"
            "-ppp" "-ppp-mod-pppoe" "-kmod-ppp" "-kmod-pppoe" "-kmod-pppox"
            "-iptables" "-ip6tables" "-kmod-ipt-offload"
            "-odhcp6c" "-odhcpd-ipv6only"
            # debugging
            "tcpdump"
            # monitoring
            "collectd" "collectd-mod-interface" "collectd-mod-load"
            "collectd-mod-cpu" "collectd-mod-iwinfo" "collectd-mod-network"
            # wpa3
            "-wpad-basic-wolfssl" "-wpad-mini"
            "wpad-openssl"
          ] ++ modelPackages.${model} or [];
          disabledServices = [ "dnsmasq" "uhttpd" ];
          files = pkgs.runCommandNoCC "image-files" {} ''
            mkdir -p $out/etc/uci-defaults
            cat > $out/etc/uci-defaults/99-zentralwerk <<EOF
            ${uciConfig hostName}
            EOF
          '';
        });
    in
      if matches == [] && fallbackProfile != null
      then build fallbackProfile
      else if matches == []
      then builtins.trace "${hostName} (${model}) not supported by OpenWRT"
        null
      else if builtins.length matches == 1
      then build (builtins.elemAt matches 0)
      else builtins.trace "${hostName} (${model}) has multiple models!" (
        build (builtins.elemAt matches 0)
      );

}