{ config, lib, pkgs, ... }:
{
  environment.systemPackages =
    with pkgs;
    let
      containers = builtins.attrNames (
        lib.filterAttrs (_: { role, ... }:
          role == "container"
        ) config.site.hosts
      );
      resources = builtins.toFile "cib-resources.xml" ''
        <resources>
          ${lib.concatMapStrings (container: ''
            <primitive id="lxc-${container}" class="systemd" type="lxc@${container}">
              <operations>
                <op id="stop-${container}" name="start" interval="0" timeout="10s"/>
                <op id="start-${container}" name="start" interval="0" timeout="10s"/>
                <op id="monitor-${container}" name="monitor" interval="10s" timeout="10s"/>
              </operations>
            </primitive>
          '') containers}
        </resources>
      '';
      cib-set-resources = writeScriptBin "cib-set-resources" ''
        #! ${runtimeShell} -e

        crm_attribute -t crm_config -n stonith-enabled -v false
        cibadmin --replace --scope resources --xml-file ${resources}
      '';
    in [ cib-set-resources ];

  services.corosync = {
    enable = true;
    clusterName = "zentralwerk-network";
    nodelist =
      lib.imap (n: hostName: {
        nodeid = n;
        name = hostName;
        ring_addrs = map (net:
          config.site.net.${net}.hosts4.${hostName}
        ) [ "cluster" "mgmt" ];
      }) (
        builtins.filter (hostName:
          config.site.hosts.${hostName}.role == "server"
        ) (builtins.attrNames config.site.hosts)
      );
  };
  environment.etc."corosync/authkey" = {
    source = builtins.toFile "authkey" config.site.cluster.corosyncAuthKey;
    mode = "0400";
  };

  services.pacemaker = {
    enable = true;
  };
}