{ pkgs, lib, config, ... }:
with lib;
let
  cfg = config.k8s;
in
rec {
  pki = import ./pki.nix { inherit pkgs; ca = cfg.initca; };

  baseNixos = name:
    {
    users.extraUsers.admin.openssh.authorizedKeys.keys =
     cfg.adminAuthorizedKeys;

    boot.kernel.sysctl = {
      "kernel.mm.transparent_hugepage.enabled" = "never";
      "net.core.somaxconn" = "512";
    };

    imports = [
      ./nixos/configuration.nix
    ];

    security.pki.certificateFiles = [ pki.ca.cert ];

    networking = {
      hostName = name;
      extraHosts = cfg.clusterHosts;
      firewall.allowedTCPPortRanges = [ { from = 5000; to = 50000; } ];
      firewall.allowedTCPPorts = [ 80 443 111 ];
      firewall.allowedUDPPorts = [ 111 24007 24008 ];
    };
    environment.systemPackages = with pkgs; [
      nfs-utils
    ];
  };

  hostCerts = builtins.foldl'
    (a: x: a // { ${x.name} = pki.gencert {
        cn = x.name;
        ca = x.ca;
        o = cfg.clusterName;
      };
    }) {} cfg.hosts;


  mkHost = host: self: {
      deployment.targetHost = host.address;
      require = [
        (baseNixos host.name)
      ];
    };

  baseDeployment = nodes: attrs:
    let
      hosts =
        builtins.foldl'
          (a: x: a // { ${x.name} = mkHost x _; }) {} nodes;
      hosts' = lib.recursiveUpdate hosts attrs;
      names = builtins.attrNames hosts;
    in
      builtins.foldl' (a: x: a // { ${x} = self: hosts'.${x}; }) {} names;
}