{ pkgs, lib, config, ... }:
with lib;
let
  cfg = config.cluster;

  pki = import ./pki.nix { inherit pkgs; ca = cfg.initca; };
in
{
  options.cluster = {
    initca = mkOption {
      type = types.path;
    };

    hostName = mkOption {
      type = types.str;
      default = null;
    };

    domain = mkOption {
      type = types.str;
      default = "local";
    };

    searchDomains = mkOption {
      type = types.listOf types.str;
      default = [ cfg.domain ];
    };

    cert = mkOption {
      type = types.attrs;
      default = null;
    };

    clusterName = mkOption {
      type = types.str;
      default = null;
    };

    extraHosts = mkOption {
      type = types.str;
    };

    adminAuthorizedKeys = mkOption {
      type = types.listOf types.str;
      default = [];
    };
  };

  config = {
    users.extraUsers.admin.openssh.authorizedKeys.keys =
      cfg.adminAuthorizedKeys;

    users.extraUsers.root.openssh.authorizedKeys.keys =
      cfg.adminAuthorizedKeys;

    networking = {
      hostName = cfg.hostName;
      domain = cfg.domain;
      search = cfg.searchDomains;
      extraHosts = cfg.extraHosts;
    };

   security.pki.certificateFiles = [ pki.ca.cert ];
    boot.kernel.sysctl = {
      "kernel.mm.transparent_hugepage.enabled" = "never";
      "net.core.somaxconn" = "512";
    };

    networking = {
      firewall.allowedTCPPortRanges = [ { from = 5000; to = 50000; } ];
      firewall.allowedTCPPorts = [ 80 443 111 ];
      firewall.allowedUDPPorts = [ 111 24007 24008 ];
    };

    environment.systemPackages = with pkgs; [
      nfs-utils
    ];
  };

  imports = [
    ./nixos/configuration.nix
  ];

}