{ self, nixpkgs, system, openwrt-imagebuilder }:

let
  inherit (self.lib) config;

  pkgs = nixpkgs.legacyPackages.${system};

  export-openwrt-models = pkgs.writeText "openwrt-models.nix" (
    nixpkgs.lib.generators.toPretty {} self.lib.openwrtModels
  );
  export-config = pkgs.writeText "config.nix" (
    nixpkgs.lib.generators.toPretty {} config
  );

  encrypt-secrets = pkgs.writeScriptBin "encrypt-secrets" ''
    #! ${pkgs.runtimeShell} -e

    cd config
    exec ${pkgs.gnupg}/bin/gpg --armor --batch --trust-model always \
      --encrypt -r 1F0F221A7483B5EF5D103D8B32EBADE870BAF886 \
      < secrets-production.nix \
      > secrets-production.nix.gpg
  '';
  decrypt-secrets = pkgs.writeScriptBin "decrypt-secrets" ''
    #! ${pkgs.runtimeShell} -e

    cd config
    [ -e secrets-production.nix ] && \
      mv secrets-production.nix secrets-production.nix.old
    exec ${pkgs.gnupg}/bin/gpg -d \
      > secrets-production.nix \
      < secrets-production.nix.gpg
  '';
  switch-to-production = pkgs.writeScriptBin "decrypt-secrets" ''
    #! ${pkgs.runtimeShell} -e

    ${decrypt-secrets}/bin/decrypt-secrets

    cd config
    cp secrets-production.nix secrets.nix
  '';

  network-cypher-graphs = import ./network-cypher-graphs.nix { inherit config pkgs; };
  network-graphs = import ./network-graphs.nix { inherit config pkgs; };

  mkRootfs = hostName:
    self.nixosConfigurations.${hostName}.config.system.build.toplevel;

  rootfs-packages =
    builtins.foldl' (rootfs: hostName: rootfs // {
      "${hostName}-rootfs" = mkRootfs hostName;
    }) {} (
      builtins.attrNames (
        nixpkgs.lib.filterAttrs (_: { role, ... }: builtins.elem role ["server" "container"])
          config.site.hosts
      )
    );

  vm-packages =
    builtins.foldl' (rootfs: hostName: rootfs // {
      "${hostName}-vm" = self.nixosConfigurations.${hostName}.config.system.build.vm
        .overrideAttrs (_oa: {
          meta.mainProgram = "run-${hostName}-vm";
        });
    }) {} (
      builtins.attrNames (
        nixpkgs.lib.filterAttrs (_: { role, ... }: role == "server")
          config.site.hosts
      )
    );

  all-rootfs = with pkgs;
    runCommand "all-rootfs" {} ''
      mkdir -p $out
      ${lib.concatMapStrings (pkg: ''
        ln -s ${pkg} $out/${pkg.name}
      '') (builtins.attrValues rootfs-packages)}
    '';

  openwrt-images =
    let
      profiles = openwrt-imagebuilder.lib.profiles { inherit pkgs; };
      build = args:
        openwrt-imagebuilder.lib.build (args // {
          extraImageName = "zw";
          packages = [
            # remove unused default .ipk
            "-dnsmasq" "-ppp" "-ppp-mod-pppoe" "-odhcp6c" "-odhcpd-ipv6only"
            # debugging
            "tcpdump"
            # monitoring
            "collectd" "collectd-mod-interface" "collectd-mod-load"
            "collectd-mod-cpu" "collectd-mod-iwinfo" "collectd-mod-network"
          ];
          disabledServices = [ "dnsmasq" "uhttpd" ];
          # TODO: files
        });
    in
      builtins.foldl' (images: hostName:
        let
          inherit (config.site.hosts.${hostName}) model;
          matches = profiles.identifyProfiles model;
          fallbackProfile =
            if model == "dir-615-d"
            then (openwrt-imagebuilder.lib.profiles {
              inherit pkgs;
              release = "19.07.10";
            }).identifyProfile model
            else if builtins.match "tl-wr.*" model != null
            then {
              release = "18.06.9";
              packagesArch = "mips_24kc";
              target = "ar71xx";
              variant = "tiny";
              profile = model;
              sha256 = "109a2557gwmgib7r500qn9ygd8j4r4cv5jl5rpn9vczsm4ilkc1z";
              feedsSha256 = {
                base = "0xklqsk6d5d6bai0ry2hzfjr4sycf6241ihv8v1lmmf9r7d47cr1";
                packages = "05g048saibh304ndnlczyq92b1c67c3cqvbhdamw1xqbsp6jzifp";
              };
            }
            else null;
        in
          if matches == [] && fallbackProfile != null
          then images // {
            "${hostName}-image" = build fallbackProfile;
          }
          else if matches == []
          then builtins.trace "${hostName} (${model}) not supported by OpenWRT"
            images
          else if builtins.length matches == 1
          then
            images // {
              "${hostName}-image" = build (
                builtins.elemAt matches 0
              );
            }
          else builtins.trace "${hostName} (${model}) has multiple models!"
            images // {
              "${hostName}-image" = build (
                builtins.elemAt matches 0
              );
            }
      ) {} (
        builtins.attrNames (
          nixpkgs.lib.filterAttrs (_: { role, ... }: role == "ap")
            config.site.hosts
        )
      );

  device-templates = import ./device-templates.nix {
    inherit self nixpkgs system;
  };

  dns-slaves = import ./dns-slaves.nix {
    inherit self nixpkgs system;
  };

  starlink = import ./starlink {
    inherit pkgs;
  };

  subnetplans = import ./subnetplans.nix {
    inherit self nixpkgs system;
  };

  vlan-report = import ./vlan-report.nix {
    inherit self nixpkgs system;
  };
in
rootfs-packages // vm-packages // device-templates // openwrt-images // network-graphs // network-cypher-graphs // starlink // subnetplans // {
  inherit all-rootfs export-openwrt-models export-config dns-slaves
    encrypt-secrets decrypt-secrets switch-to-production
    vlan-report
    ;
}