with import <nixpkgs> {};
let
  pki = pkgs.callPackage ./lib/pki.nix {};
  certs = {
    ca = pki.ca;
    fs0 = pki.trust "fs0" ''
        "fs0-0",
        "fs0-1",
        "fs0-2",
        "10.253.18.106",
        "10.1.2.164",
        "10.253.18.100",
        "127.0.0.1"
      '';
  };
  clusterHosts = ''
    10.253.18.106 fs0-0
    10.1.2.164    fs0-1
    10.253.18.100 fs0-2
  '';

  nixosConfig = node: {
    imports = [ (./hardware-configuration + "/${node}.nix") ./nixos/configuration.nix ];
    networking = {
      hostName = node;
      extraHosts = clusterHosts;
    };
    services.glusterfs = {
      enable = true;
      tlsSettings = {
        caCert = certs.ca.cert;
        tlsKeyPath = certs.fs0.key;
        tlsPem = certs.fs0.cert;
      };
    };
    networking.firewall.extraCommands = ''
        iptables -I INPUT -p all -s 10.253.18.100 -j ACCEPT
        iptables -I INPUT -p all -s 10.253.18.106 -j ACCEPT
        iptables -I INPUT -p all -s 10.1.2.164 -j ACCEPT
    '';
  };
in
{
  fs0-0 = { ... }:
    let
      base = nixosConfig "fs0-0";
    in
    {
      deployment.targetHost = "10.253.18.106";
      require = [ base ];
      services.nfs.server = {
        enable=true;
        exports= ''
          /data/nfs0 10.253.18.0/24(insecure,rw,sync,no_subtree_check,crossmnt,fsid=0,no_root_squash)
        '';
      };
      networking.firewall.allowedTCPPorts = [ 111 2049 ];
      networking.firewall.allowedUDPPorts = [ 111 2049 ];
    };
  fs0-1 = { ... }:
    let
      base = nixosConfig "fs0-1";
    in
    {
      deployment.targetHost = "10.1.2.164";
      require = [ base ];
    };
}