{}
/** /
{ config, lib, ... }:

# TODO: make a remote-build user on nixos boxes, instead of giving access to pbsds
# TODO: https://exozy.me/quickstart
# TODO: https://github.com/winterqt/darwin-build-box

let
  inherit (builtins) map fromTOML readFile elem attrNames;
  inherit (lib) mkIf;

  hosts' = fromTOML (readFile ../../hosts/known-hosts.toml); # eww
  hosts = lib.pipe hosts' [
    (lib.filterAttrs (name: host: name != "default"))
    (lib.mapAttrs (name: host:
      lib.recursiveUpdate (hosts'."default" or {}) host
    ))
  ];
  hostNames = attrNames hosts;
  thisHost = hosts.${config.networking.fqdn};
  thisHostIsBuilder = thisHost.maxJobs > 0;

  mkRemoteConfig = fqdn: let
    host = hosts.${fqdn};
    jump = hosts.${host.ssh.proxyJump};
    buildMachine = (lib.filterAttrs (key: _: !elem key ["ssh"]) host) // {
      hostName = fqdn;
      sshUser = host.ssh.listenUser;
    };
    isBuilder = host.maxJobs > 0;
    isConsumer = host.ssh ? publicKeyUser && thisHostIsBuilder;
    isThis = fqdn == config.networking.fqdn;
  in mkIf (!isThis) {

    # out
    nix.buildMachines = mkIf isBuilder [ buildMachine ];
    programs.ssh.knownHosts.${fqdn}.publicKey = mkIf isBuilder host.ssh.listenPublicKey;

    # timeout is great when remote is unresponsive. nix doesn't care
    programs.ssh.extraConfig = ''
      Host ${fqdn}
        ConnectTimeout 3
        Port ${builtins.toString (host.ssh.listenPort or 22)}
        ${lib.optionalString (host.ssh ? proxyJump) ''
          ProxyJump ${host.ssh.proxyJump}
        ''}
    '';

    # in
    users = mkIf isConsumer {
      users.${thisHost.ssh.listenUser} = {
        isSystemUser = lib.mkDefault (!config.users.users.${thisHost.ssh.listenUser}.isNormalUser);
        openssh.authorizedKeys.keys = [
          host.ssh.userPublicKey
        ];
        group = lib.mkDefault "nogroup";
      };
    };
    nix.settings.allowed-users = mkIf isConsumer [ thisHost.ssh.listenUser ];
    nix.settings.trusted-users = mkIf isConsumer [ thisHost.ssh.listenUser ];
  };

in {

  nix.distributedBuilds = true;

  # TODO: Allow setting speedFactor for local builds, as local is currently fixed to 0
  # https://github.com/NixOS/nix/issues/2457

  # useful when the builder has a faster internet connection than i do
  nix.settings.builders-use-substitutes = true;

  imports = lib.forEach hostNames mkRemoteConfig;

}
/**/