{ self, nixpkgs, system, openwrt-imagebuilder }:

let
  inherit (self.lib) config;

  pkgs = nixpkgs.legacyPackages.${system};

  export-openwrt-models = pkgs.writeText "openwrt-models.nix" (
    nixpkgs.lib.generators.toPretty {} self.lib.openwrtModels
  );
  export-config = pkgs.writeText "config.nix" (
    nixpkgs.lib.generators.toPretty {} config
  );

  encrypt-secrets = pkgs.writeScriptBin "encrypt-secrets" ''
    #! ${pkgs.runtimeShell} -e

    cd config
    exec ${pkgs.gnupg}/bin/gpg --armor --batch --trust-model always \
      --encrypt -r 1F0F221A7483B5EF5D103D8B32EBADE870BAF886 \
      < secrets-production.nix \
      > secrets-production.nix.gpg
  '';
  decrypt-secrets = pkgs.writeScriptBin "decrypt-secrets" ''
    #! ${pkgs.runtimeShell} -e

    cd config
    [ -e secrets-production.nix ] && \
      mv secrets-production.nix secrets-production.nix.old
    exec ${pkgs.gnupg}/bin/gpg -d \
      > secrets-production.nix \
      < secrets-production.nix.gpg
  '';
  switch-to-production = pkgs.writeScriptBin "decrypt-secrets" ''
    #! ${pkgs.runtimeShell} -e

    ${decrypt-secrets}/bin/decrypt-secrets

    cd config
    cp secrets-production.nix secrets.nix
  '';

  network-cypher-graphs = import ./network-cypher-graphs.nix { inherit config pkgs; };
  network-graphs = import ./network-graphs.nix { inherit config pkgs; };

  mkRootfs = hostName:
    self.nixosConfigurations.${hostName}.config.system.build.toplevel;

  rootfs-packages =
    builtins.foldl' (rootfs: hostName: rootfs // {
      "${hostName}-rootfs" = mkRootfs hostName;
    }) {} (
      builtins.attrNames (
        nixpkgs.lib.filterAttrs (_: { role, ... }: builtins.elem role ["server" "container"])
          config.site.hosts
      )
    );

  vm-packages =
    builtins.foldl' (rootfs: hostName: rootfs // {
      "${hostName}-vm" = self.nixosConfigurations.${hostName}.config.system.build.vm
        .overrideAttrs (_oa: {
          meta.mainProgram = "run-${hostName}-vm";
        });
    }) {} (
      builtins.attrNames (
        nixpkgs.lib.filterAttrs (_: { role, ... }: role == "server")
          config.site.hosts
      )
    );

  all-rootfs = with pkgs;
    runCommand "all-rootfs" {} ''
      mkdir -p $out
      ${lib.concatMapStrings (pkg: ''
        ln -s ${pkg} $out/${pkg.name}
      '') (builtins.attrValues rootfs-packages)}
    '';

  openwrt = import ./openwrt { inherit self nixpkgs system openwrt-imagebuilder; };

  openwrt-images = builtins.foldl' (images: hostName:
    let
      image = openwrt.buildImage hostName;
    in
      if image != null
      then images // {
        "${hostName}-image" = image;
      }
      else images
  ) {} (
    builtins.attrNames (
      nixpkgs.lib.filterAttrs (_: { role, ... }: role == "ap")
        config.site.hosts
    )
  );

  device-templates = import ./device-templates.nix {
    inherit self nixpkgs system openwrt;
  };

  dns-slaves = import ./dns-slaves.nix {
    inherit self nixpkgs system;
  };

  starlink = import ./starlink {
    inherit pkgs;
  };

  subnetplans = import ./subnetplans.nix {
    inherit self nixpkgs system;
  };

  vlan-report = import ./vlan-report.nix {
    inherit self nixpkgs system;
  };
in
rootfs-packages // vm-packages // device-templates // openwrt-images // network-graphs // network-cypher-graphs // starlink // subnetplans // {
  inherit all-rootfs export-openwrt-models export-config dns-slaves
    encrypt-secrets decrypt-secrets switch-to-production
    vlan-report
    ;
}