{ hostName, self, config, lib, pkgs, ... }:

let
  # ctHosts =
  #   lib.filterAttrs (_: { role, model, location, ... }:
  #     role == "container" &&
  #     model == "lxc" &&
  #     location == hostName
  #   ) config.site.hosts;

  pillar = self.lib.saltPillarFor hostName;
  containers =
    # TODO: remove 1 line
    lib.filterAttrs (ctName: _: ctName == "upstream1") (
      if pillar ? containers then pillar.containers else {}
    );
  enabled = containers != {};

in
{
  virtualisation.lxc = lib.mkIf enabled {
    enable = true;
    systemConfig = ''
      lxc.lxcpath = /etc/lxc/containers

      # lxc.rootfs.backend = zfs
      # lxc.bdev.zfs.root = vault/sys/atom/var/lib/lxc
    '';
  };

  environment.systemPackages = [ pkgs.lxc ];

  environment.etc =
    builtins.foldl' (etc: ctName: etc // {
      "lxc/containers/${ctName}/rootfs" = {
        source = self.packages.x86_64-linux."${ctName}-rootfs";
      };
      "lxc/containers/${ctName}/config" = {
        enable = true;
        source =
          let
            inherit (containers.${ctName}) interface;
          in builtins.trace ctName builtins.toFile "${ctName}.conf" ''
            # For lxcfs and sane defaults
            lxc.include = /etc/lxc/common.conf

            lxc.uts.name = ${ctName}
            # Handled by lxc@.service
            lxc.start.auto = 0
            # config.system.build.toplevel
            lxc.rootfs.path = /etc/lxc/containers/${ctName}/rootfs
            lxc.init.cmd = "/init"

            lxc.mount.entry = /nix/store nix/store none bind,ro 0 0
            lxc.mount.entry = none nix/var tmpfs defaults 0 0
            lxc.mount.entry = none bin tmpfs defaults 0 0
            #lxc.mount.entry = none dev tmpfs defaults 0 0
            lxc.mount.entry = none root tmpfs defaults 0 0
            lxc.mount.entry = none tmp tmpfs defaults 0 0
            lxc.mount.entry = none var tmpfs defaults 0 0
            lxc.mount.entry = none home tmpfs defaults 0 0
            lxc.mount.entry = none usr tmpfs defaults 0 0
            lxc.mount.entry = none run tmpfs defaults 0 0
            lxc.mount.entry = none etc tmpfs defaults 0 0
            lxc,mount.auto = proc:mixed sys:ro cgroup:mixed

            lxc.autodev = 1
            lxc.tty.max = 0

            lxc.cap.drop = sys_module sys_time sys_nice sys_pacct sys_rawio sys_time mknod
            lxc.apparmor.profile = unchanged
            security.privileged = false

            lxc.cgroup.memory.limit_in_bytes = 1G
            lxc.cgroup.memory.kmem.tcp.limit_in_bytes = 128M

            # tuntap
            lxc.cgroup.devices.allow = c 10:200 rw

            lxc.net.0.type = veth
            lxc.net.0.flags = up
            lxc.net.0.veth.mode = bridge
            lxc.net.0.veth.pair = test
            lxc.net.0.link = virbr0
            lxc.net.0.hwaddr = 00:23:de:ad:be:ef
          '';
      };
    }) {
      "lxc/common.conf".source = "${pkgs.lxc}/share/lxc/config/common.conf";
    } (builtins.attrNames containers);
}