{ pkgs, hostName, config, hostConfig
, sortBy, sortNetsByVlan
, ... }:
with pkgs;
with lib;
let
  configFile = builtins.toFile "junos.config" ''
    system {
        host-name ${hostName};
        time-zone Europe/Berlin;
        root-authentication {
            encrypted-password "$5$EBmFELmv$kQxtWwS0SBS.TqVPRvs8sKpH./l9DTtTxX/I2FJB2n2"; ## SECRET-DATA
            ssh-rsa "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDOFs2LdK23ysS0SSkXZuULUOCZHe1ZxvfOKj002J6rkvAaDLar9g5aKuiIV70ZR33A2rchoLMiM4pLLwoSAPJg1FgIgJjU+DFoWtiW+IjzKXdHHVspb2iOIhpfbfk8WC5HZ/6fPz4RUqadGQ43ImnMhSN0ge3s/oM48hpc96ne6tH+mGiugdPx8097NE9yTqJHi8deBhi3daeJH4eQeg66Fi+kDIAZv5TJ0Oca5h7PBd253/vf3l21jRH8u1D1trALv9KStGycTk5Nwih+OHx+Rnvue/B/nxgAz4I3mmQa+jhRlGaQVG0MtOBRY3Ae7ZNqhjuefDUCM2hwG70toU9xDUw0AihC2ownY+P2PjssoG1O8f/D7ilw7qrXJHEeM8HwzqMH8X4ELYHaHTwjeWfZTTFev1Djr969LjdS1UZzqCZHO0jmQ5Pa3eXw8xcoprtt620kYLTKSMs6exLstE48o57Yqfn+eTJDy7EkcjiLN6GNIi42b9Z73xXNpZx1WR9O6OulJf/6pWgrApasvxiGmxxILq98s1/VnZkOFXR8JXnpvKHEIOIr3bFQu3GLCrzY2Yuh4NL5wy6lcZNTr/0rr6AO24IbEWM7TApbXnKA5XQhAbThrVsuFBdT3+bBP2nedvWQ0W+Q6SUf+8T2o5InnFqs5ABnTixBItiWw+9BiQ== root@server1"; ## SECRET-DATA
        }
        services {
            ssh {
                root-login allow;
            }
            netconf {
                ssh;
            }
            web-management {
                http {
                    interface [ vme.0 vlan.1 ];
                }
            }
        }
    }
    virtual-chassis {
        no-split-detection;
        member 0 {
            mastership-priority 255;
        }
        member 1 {
            mastership-priority 255;
        }
    }
    chassis { aggregated-devices { ethernet { device-count 32; } } }

    vlans {
      ${concatMapStrings (net:
        let
          netName = if net == "mgmt"
                    then "mgmt-vlan"
                    else net;
          netConfig = config.site.net.${net};
          vlan = toString netConfig.vlan;
        in
          lib.optionalString (netConfig.vlan != null) ''
            ${netName} {
              vlan-id ${vlan};
              ${lib.optionalString (net == "mgmt") ''
                l3-interface vlan.${vlan};
              ''}
            }
          ''
      ) (sortNetsByVlan (builtins.attrNames config.site.net))}
    }

    interfaces {
      vlan {
        unit ${toString config.site.net.mgmt.vlan} {
          family inet {
            address ${mgmtAddress}/${toString config.site.net.mgmt.subnet4Len};
          }
        }
      }

      ${concatMapStrings (name:
        let
          linkConfig = hostConfig.links.${name};
          group = toString linkConfig.group;
          isBond = linkConfig.group != null &&
                   builtins.length linkConfig.ports > 1;
          nets = map (net:
            if net == "mgmt"
            then "mgmt-vlan"
            else net
          ) linkConfig.nets;
          vlanConfig = ''
            unit 0 {
              family ethernet-switching {
                port-mode ${if linkConfig.trunk then "trunk" else "access"};
                vlan { members [ ${concatStringsSep " " nets} ]; }
              }
            }
          '';
        in
          if isBond
          then concatMapStrings (port: ''
            ${port} {
              ether-options { 802.3ad ae${group}; }
            }
          '') (linkConfig.ports) + ''
            ae${group} {
              aggregated-ether-options { lacp { active; } }
              ${vlanConfig}
            }
          ''
          else concatMapStrings (port: ''
            ${port} {
              ${vlanConfig}
            }
          '') (linkConfig.ports)
      ) (sortBy (link: hostConfig.links.${link}.ports)
        (builtins.attrNames hostConfig.links)
      )}
    }
  '';

  mgmtAddress = config.site.net.mgmt.hosts4.${hostName};
in ''
  #! ${runtimeShell} -e

  scp ${configFile} root@${mgmtAddress}:/tmp/junos.config
  ssh root@${mgmtAddress} cli <<EOF
  configure
  load override /tmp/junos.config
  commit
  EOF
''