let
  # Pin the deployment package-set to a specific version of nixpkgs
  # pkgs = import (builtins.fetchTarball {
  #   url = "https://github.com/NixOS/nixpkgs/archive/e9148dc1c30e02aae80cc52f68ceb37b772066f3.tar.gz";
  #   sha256 = "1ckzhh24mgz6jd1xhfgx0i9mijk6xjqxwsshnvq789xsavrmsc36";
  # }) {};
  pkgs = import <nixpkgs> {};
  name = "fs1-0";
  address = "10.1.30.10";
in {
  fs1-0 = { config, pkgs, ... }: with pkgs; {
    # deployment.tags = [ "fs" ];
    deployment.targetHost = address;
    system.autoUpgrade.enable = lib.mkForce false;

    boot = {
      loader.systemd-boot.enable = false;
      loader.efi.canTouchEfiVariables = true;
      loader.grub = {
        enable = true;
        version = 2;
        device = "/dev/sda";
      };
    };

    console = {
      font = "Lat2-Terminus16";
      keyMap = "us";
    };

    i18n = {
      defaultLocale = "en_DK.UTF-8";
      extraLocaleSettings = {
        LC_TIME = "en_DK.UTF-8";
      };
    };

    time.timeZone = "Europe/Oslo";

    features = {
      os = {
        externalInterface = "ens3";
        adminAuthorizedKeys = [
          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKiAS30ZO+wgfAqDE9Y7VhRunn2QszPHA5voUwo+fGOf jonas"
          "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDULdlLC8ZLu9qBZUYsjhpr6kv5RH4yPkekXQdD7prkqapyoptUkO1nOTDwy7ZsKDxmp9Zc6OtdhgoJbowhGW3VIZPmooWO8twcaYDpkxEBLUehY/n8SlAwBtiHJ4mTLLcynJMVrjmTQLF3FeWVof0Aqy6UtZceFpLp1eNkiHTCM3anwtb9+gfr91dX1YsAOqxqv7ooRDu5rCRUvOi4OvRowepyuBcCjeWpTkJHkC9WGxuESvDV3CySWkGC2fF2LHkAu6SFsFE39UA5ZHo0b1TK+AFqRFiBAb7ULmtuno1yxhpBxbozf8+Yyc7yLfMNCyBpL1ci7WnjKkghQv7yM1xN2XMJLpF56v0slSKMoAs7ThoIlmkRm/6o3NCChgu0pkpNg/YP6A3HfYiEDgChvA6rAHX6+to50L9xF3ajqk4BUzWd/sCk7Q5Op2lzj31L53Ryg8vMP8hjDjYcgEcCCsGOcjUVgcsmfC9LupwRIEz3aF14AWg66+3zAxVho8ozjes= jonas.juselius@juselius.io"
          "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCk5EKXxo/KLogjqSxSf/GkQdZ30UxB3wXc5k6Y6RRKQ/5iJ+XyYTbuqYOUp30p54apZzbayU2icahE/upr754lQicQwJtOXW/Iut57VRhSpq4P+mKCIdT58xCUkAZYr8Aja8UjHlYeJgFvp023K/fqmwbapu8R1gh4bzXm7uU1XeJoYfuOb+Cb8NGMn1ICrw2aztA0yVOXZ7tyJd2qyr1+6PuM/Ca2nKN4wLIX2vwyN3vZjR15nkIaHQGlTaJlNk2NEG1YTxsIQ9axDjNtyL80kjUr5M8zxW6s0h3451zr1b21EetP1i+1POIjS9uWXv5iabF+1Qb1GaS4FAYzzpqNY+moLzY7Zqfi05MPsMYkNoZ1Kg5aj0IuZb0OM9i6ZJrFs9nYAGG0uLSUTfrs957f9nokFyILGYg5xY46YN3uQrqfZifvcR0KaEdxEKvnfq0qrNG3uYLR/OYm2yblRcNbWgDoQ1hH7qa9uJM2JrPM07s4sJGkqfAib8Hwz9+l7jMrL6KIGUOA4aX0B1KZaIKKiZa42WlgdbeA17aW3laIqS5mZCkI3pLMYZAxe+A6rQi+V8ZAvDSyOL/Vws3lboXaN5QLu17R8uCY7MkIAvRBiZSpdWNeX3JO5m6zexkxkrFlxyEBf+ott4ATSw+eMYMs8i5xQRqPjgO1cABWkUdGpw== martin.moe.carstens@itpartner.no"
          "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC2tox0uyFGfU1zPNU6yAVSoGOUkeU959aiTMrqu1U9MCCOP2o4IhZIlRpZ08XVnUU/AhycCUF4HgGqdcco8oIVX0P0Cn83KJoD/DOqAiz+1VwIUUV1ylrRdNqCgf4wnmLni3sUPHJdQnuq57+pzDDjHMr9CcBL2KzOHD/QanfR+jZmv9K3OS5oDcWquSCziXkpbkWQURPactmtyzGK2FRRxONZgYrB8gRTDstlWQg/t6GHNVelzuJ7SEf+t8pk/S2e/XAvfZyRJhrVJ35iZKpmxkIn5v0g1Z+z0yX/KRSAPRtNg9uM44cmto77MFx7iFs0CuleL3zHvRvZYW1ZnsKAiP07UkEK87luMpkTzFr9CSHJGpgk1RZYA3qidQti44n6NU9YRNhzO4v+KQE6XDqO80gZCJboSXr3fnYn/QHpPXzK5JcZNWmClyMURYj10qv9So3Fh0o3LV5GThA6JgN874vUywUZanPEdn8ePBcAsjLRzA4YBGEuvJCc6FELSuY2s+/pFba8NXQvrOdJKSRC0g5USQFfaWDln4Q4zZ1G5z76p1u6GtRWxvakkUQ0fze9KAW7msxeKaw+B7uMtyvCL8V2zEE8WKFP1sNyYEe7Sgp3RVfym2VPMNTZVhEImfM/3D+WbzfoJztnJvFKXeeMCcne4G8swyef3o1s3b+CvQ== ski027@uit.no"
          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGP5k0dXn60dZ3iORy99LVvgTldu9nYU1TJVL1wCJEqp kaih kubernetes"
          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH4vSlN+vm9d5ZoDitR9b4zqx2Psqa6iH4dK5kN/NXy3 Steinar.Hansen@tromso.serit.no"
        ];
      };

      fs = {
        enable = true;
        nfs.enable = true;
        nfs.exports = ''
          /vol/brick0/nfs0 10.1.30.0/24(insecure,rw,sync,no_subtree_check,crossmnt,fsid=0,no_root_squash)
        '';
        initca = ./ca;
      };

      certs = {
        enable = true;
        caBundle = ./ca;
        certs = [
          {
            name = "fs1-0";
            SANs = [ "fs1-0.itpartner.intern" "10.1.30.10" ];
            owner = "nginx";
            group = "nginx";
          }
        ];
      };
    };

    services.prometheus.exporters = {
      node = {
        enable = true;
        openFirewall = true;
      };
    };

    services.minio = {
      enable = true;
      region = "fs1";
      browser = true;
      accessKey = "admin";
      secretKey = "en to tre fire";
      listenAddress = "0.0.0.0:9000";
      dataDir = [ "/vol/s3" ];
    };

    networking = {
      hostName = name;
      domain = "itpartner.intern";
      defaultGateway = "10.1.30.1";
      nameservers = [ "8.8.8.8" ];
      search = [ "itpartner.intern" "itpartner.no" ];
      extraHosts = import ../hosts.nix;
      interfaces.ens3 = {
        useDHCP = false;
        ipv4.addresses = [ {
          address = address;
          prefixLength = 24;
        } ];
      };
      firewall = {
        allowedTCPPorts = [ 443 9000 9001 ];
        allowedUDPPorts = [];
      };
    };

    services.nginx = {
      enable = true;
      statusPage = true;
      virtualHosts = {
        "fs1-0.itpartner.intern" = {
          forceSSL = true;
          enableACME = false;
          sslTrustedCertificate = "/var/lib/secrets/ca.pem";
          sslCertificate = "/var/lib/secrets/fs1-0.pem";
          sslCertificateKey = "/var/lib/secrets/fs1-0-key.pem";
          serverAliases = [];
          locations."/" = {
            proxyPass = "http://127.0.0.1:9001";
            extraConfig = ''
              allow all;
            '';
          };
        };

      };
    };

    # nixos 21.11 will fix this properly
    nixpkgs.overlays = [ (import ../../modules/overlays/minio.nix) ];
    systemd.services.minio.serviceConfig.ExecStart = lib.mkForce
      "${pkgs.minio}/bin/minio server --json --address :9000 --console-address :9001 --config-dir=/var/lib/minio/config /vol/s3";

    imports = [ ../../nixos ../../modules ./fs1-0.nix ];
  };
}