{ pkgs, lib, settings, here ? "", ...}:
with lib;
rec {
  pki = import ./pki.nix { inherit pkgs; ca = settings.initca; };

  baseNixos = name: {
    users.extraUsers.admin.openssh.authorizedKeys.keys =
     settings.adminAuthorizedKeys;

    boot.kernel.sysctl = {
      "kernel.mm.transparent_hugepage.enabled" = "never";
      "net.core.somaxconn" = "512";
    };

    imports = [
      ./nixos/configuration.nix
      (here + "/${name}.nix")
    ];

    security.pki.certificateFiles = [
      pki.ca.cert
    ];

    networking = {
      hostName = name;
      extraHosts = settings.clusterHosts;
      firewall.allowedTCPPortRanges = [ { from = 5000; to = 50000; } ];
      firewall.allowedTCPPorts = [ 80 443 111 ];
      firewall.allowedUDPPorts = [ 111 24007 24008 ];
    };
    environment.systemPackages = with pkgs; [
      nfs-utils
    ];
  };

  hostCerts =
    builtins.foldl'
    (a: x: a // { ${x.name} = pki.gencert {
        cn = x.name;
        ca = x.ca;
        o = settings.clusterName;
      };
    }) {} settings.hosts;


  mkHost = host: self:
    {
      deployment.targetHost = host.address;
      require = [
        (baseNixos host.name)
      ];
    };

  baseDeployment = attrs:
    let
      hosts =
        builtins.foldl'
          (a: x: a // { ${x.name} = mkHost x _; }) {} settings.hosts;
      hosts' = lib.recursiveUpdate hosts attrs;
      names = builtins.attrNames hosts;
    in
      builtins.foldl' (a: x: a // { ${x} = self: hosts'.${x}; }) {} names;
}