{ config, lib, ... }:

# TODO: make a remote-build user on nixos boxes, instead of giving access to pbsds
# TODO: https://exozy.me/quickstart
# TODO: https://github.com/winterqt/darwin-build-box

let
  inherit (builtins) map fromTOML readFile elem attrNames attrValues;
  inherit (lib) mkIf;

  hosts' = fromTOML (readFile ../hosts/known-hosts.toml); # TODO: eww
  hosts = lib.pipe hosts' [
    (lib.filterAttrs (name: host: name != "__default__"))
    (lib.mapAttrs (name: host:
      lib.recursiveUpdate (hosts'."__default__" or {}) host
    ))
  ];
  hostNames = attrNames hosts;
  thisHost = hosts.${config.networking.fqdn};
  thisHostIsBuilder = thisHost.maxJobs > 0;
  thisHostIsHopHost = builtins.elem config.networking.fqdn (lib.forEach (attrValues hosts) (host: host.ssh.proxyJump or null));
  thisHostIsConsumer = thisHost.ssh ? userPublicKey;

  mkRemoteConfig = fqdn: let
    host = hosts.${fqdn};
    jump = hosts.${host.ssh.proxyJump};
    buildMachine = (lib.filterAttrs (key: _: !elem key ["ssh"]) host) // {
      hostName = fqdn;
      sshUser = host.ssh.listenUser;
    };
    isBuilder = host.maxJobs > 0;
    isConsumer = host.ssh ? userPublicKey && thisHostIsBuilder;
    isThis = fqdn == config.networking.fqdn;
  in mkIf (!isThis) ( lib.mkMerge [
    # out
    (lib.mkIf (thisHostIsConsumer && isBuilder) {

      nix.buildMachines = [ buildMachine ];

    })
    # out or jump
    (lib.mkIf (thisHostIsConsumer && host.ssh ? listenPublicKey) {
      programs.ssh.knownHosts.${fqdn}.publicKey = host.ssh.listenPublicKey;
      # TODO: use nix.buildMachines.*.publicHostKey ?

      # timeouts are great when remote is unresponsive. nix doesn't care
      programs.ssh.extraConfig = ''
        Host ${fqdn}
          ConnectTimeout 3
          Port ${builtins.toString host.ssh.listenPort}
          ${lib.optionalString (host.ssh ? proxyJump) ''
            ProxyJump ${jump.ssh.listenUser}@${host.ssh.proxyJump}:${builtins.toString jump.ssh.listenPort}
          ''}
      '';
    })
    # in
    (mkIf ((thisHostIsBuilder || thisHostIsHopHost) && isConsumer) {
      users.users.${thisHost.ssh.listenUser} = {
        isSystemUser = lib.mkDefault (!config.users.users.${thisHost.ssh.listenUser}.isNormalUser);
        openssh.authorizedKeys.keys = [ host.ssh.userPublicKey ];
        group = lib.mkOptionDefault "nogroup";
      };
    })
    (mkIf (thisHostIsBuilder && isConsumer) {
      nix.settings.allowed-users = [ thisHost.ssh.listenUser ];
      nix.settings.trusted-users = [ thisHost.ssh.listenUser ];
    })
  ]);

in {

  nix.distributedBuilds = true;

  # TODO: Allow setting speedFactor for local builds, as local is currently fixed to 0
  # https://github.com/NixOS/nix/issues/2457

  # useful when the builder has a faster internet connection than i do
  nix.settings.builders-use-substitutes = true;

  imports = lib.forEach hostNames mkRemoteConfig;

}