{ config, pkgs, lib, ... }:
let
  # supportedFeatures:
  #  - "kvm"          - has hypervisor
  #  - "nixos-test"   - the same as ^? nixos?
  #  - "benchmark"    - has "equal" performance
  #  - "big-parallel" - is beefy, for stuff like llvm

  # find 'publicKey' with `ssh-keyscan`

  remotes = [
    /** /
    {
      systems     = [ "x86_64-linux" "wasm32-wasi" "wasm64-wasi" "x86_64-windows" "aarch64-linux" "riscv64-linux" ];
      hostName    = "nord.pbsds.net"; # TODO: port 24
      sshUser     = "pbsds";
      maxJobs     = 2; # 4 cores
      #maxJobs     = 1; # at least for big-parallel
      speedFactor = 2;
      supportedFeatures  = [ "kvm" "big-parallel" "nixos-test" ];
      #mandatoryFeatures  = [ ];
      publicKey  = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIBSdIUtUfAxnVbPDmDDFdP2S3Wd3+CC8IfZAANJ76oh";
    }
    /**/
    {
      systems     = [ "x86_64-linux" "wasm32-wasi" "wasm64-wasi" "x86_64-windows" "aarch64-linux" "riscv64-linux" ];
      hostName    = "bolle.pbsds.net";
      sshUser     = "pbsds";
      maxJobs     = 12; # 12 cores
      #maxJobs     = 1; # at least for big-parallel
      speedFactor = 2;
      supportedFeatures  = [ "kvm" "big-parallel" "nixos-test" ];
      #mandatoryFeatures  = [ ];
      publicKey  = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILeOB/57N1fQPVorIUlkkJZaQduBo+4+km2Qbj4ebd/k";
      proxy.user = "pederbs";
      proxy.host = "isvegg.pvv.ntnu.no";
      proxy.publicKey = "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGurF7rdnrDP/VgIK2Tx38of+bX/QGCGL+alrWnZ1Ca5llGneMulUt1RB9xZzNLHiaWIE+HOP0i4spEaeZhilfU=";
    }
    /**/
    {
      systems     = [ "x86_64-linux" "wasm32-wasi" "wasm64-wasi" "x86_64-windows" "aarch64-linux" "riscv64-linux" ];
      hostName    = "noximilien.pbsds.net"; # TODO: port 23
      sshUser     = "pbsds";
      maxJobs     = 4; # 8 cores
      #maxJobs    = 1; # at least for big-parallel
      speedFactor = 1;
      supportedFeatures  = [ "kvm" "big-parallel" "nixos-test" ];
      #mandatoryFeatures  = [ ];
      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ3QhTGS03Sqm6OeCEz5AIGqJnBttKaBqMgNXp3Md7t4";
    }
    /**/
    {
      systems            = ["x86_64-linux"];
      hostName           = "rocm.pbsds.net";
      sshUser            = "pbsds";
      maxJobs            = 8; # 16 cores
      #maxJobs            = 4;
      #maxJobs            = 1; # at least for big-parallel
      speedFactor        = 2;
      supportedFeatures  = [ "kvm" "big-parallel" ];
      #mandatoryFeatures  = [ ];
      publicKey          = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGDuWdqEQ5mmVjuKi6f/Q2PFxuqB3URpgTHid06Vw7we";
      proxy.user         = "pederbs";
      proxy.host         = "isvegg.pvv.ntnu.no";
      proxy.publicKey    = "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGurF7rdnrDP/VgIK2Tx38of+bX/QGCGL+alrWnZ1Ca5llGneMulUt1RB9xZzNLHiaWIE+HOP0i4spEaeZhilfU=";
    }
    /**/
    {
      systems     = ["x86_64-linux"];
      hostName    = "isvegg.pvv.ntnu.no";
      sshUser     = "pederbs";
      maxJobs     = 2; # 4 cores
      speedFactor = 0;
      publicKey   = "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGurF7rdnrDP/VgIK2Tx38of+bX/QGCGL+alrWnZ1Ca5llGneMulUt1RB9xZzNLHiaWIE+HOP0i4spEaeZhilfU=";
    }
    {
      systems     = ["x86_64-linux"];
      hostName    = "eirin.pvv.ntnu.no";
      sshUser     = "pederbs";
      maxJobs     = 2; # 8 cores
      speedFactor = 0;
      publicKey   = "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBILGULKEzYe5kPorM0rWATv10qq6debfCuYUYqw3HWZm4Y5Pi7mVKcf8lKFNPc1DxT/dStfxxtHj/2fbezaxElk=";
    }
    {
      systems     = ["x86_64-linux"];
      hostName    = "demiurgen.pvv.ntnu.no";
      sshUser     = "pederbs";
      maxJobs     = 2; # 8 cores
      speedFactor = 0;
      publicKey   = "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKw92q3eB5HZbKJN3p+80MtirqcXPu01USE9LnoGYJuDvko1udjIy4UR0wAwELqgs+r7mJyuQPeXmOZKwjHP6tM=";
    }
    /**/
  ];

  mkRemoteConfig = {
    publicKey,# fetch it with `ssh-keyscan`
    proxy ? null, # schema: { user, host, publicKey }
    ... # the rest follows nix.buildMachines.<NAME> schema
    }@args:
  let
    buildMachine = lib.filterAttrs (key: _: !builtins.elem key ["publicKey" "proxy"]) args; # this should have syntactic sugar: ...@buildMachine
    filter = lib.mkIf (buildMachine.hostName != config.networking.fqdn);
  in filter {
    nix.buildMachines = [ buildMachine ];
    #TODO: users.users.root.openssh.authorizedKeys.keys
    programs.ssh.knownHosts.${buildMachine.hostName}.publicKey = publicKey;
    # the timeout is great to have when a remote is unresponsive, as nix currently does not give a shit
    programs.ssh.extraConfig = ''
      Host ${buildMachine.hostName}
        ConnectTimeout 3
        ${lib.optionalString (proxy != null) ''
          ProxyJump ${proxy.user}@${proxy.host}
        ''}
    '';
    programs.ssh.knownHosts.${proxy.host or "IGNORE"} = lib.mkIf (proxy != null) { publicKey = proxy.publicKey; };
  };

in {

  nix.distributedBuilds = true;

  # TODO: Allow setting speedFactor for local builds, as local is currently fixed to 0
  # https://github.com/NixOS/nix/issues/2457

  # useful when the builder has a faster internet connection than i do
  nix.settings.builders-use-substitutes = true;

  # TIL: this can be a list of configurations and lambdas, not just file paths
  imports = builtins.map mkRemoteConfig remotes;

}