{ inputs, ... }:
let
  username = "john";
  hostname = "soteria";
in
{
  flake.nixosConfigurations."${hostname}" = inputs.nixpkgs.lib.nixosSystem {
    modules = with inputs.self.modules; [
      nixos.lxc
      nixos.mysops
      nixos.step-ssh-host
      inputs.home-manager.nixosModules.home-manager
      nixos."${username}"
      nixos.zsh
      nixos.login-text
      # nixos.mtls
      # nixos.restic-server
      # nixos.restic-envoy
      {
        networking.hostName = hostname;
        nix.settings.build-dir = "/var/tmp/nix-build";
        systemd.tmpfiles.rules = [
          "d /var/tmp/nix-build 1777 root root -"
        ];
        step-ssh-host = {
          hostname = hostname;
          caURL = caURL;
        };
        sops.defaultSopsFile = ./secrets.yaml;
        sops.secrets."janus/admin_password" = {
          owner = "${hostname}";
        };
        # mtls = {
        #   enable = true;
        #   subject = hostname;
        #   caURL = caURL;
        #   san = [
        #     "${hostname}.john-stream.com"
        #     # "192.168.1.244"
        #   ];
        # };

        # restic.envoy = {
        #   enable = true;
        #   port = 10000;
        #   spiffePrefix = "spiffe://john-stream.com";
        #   upstreamHost = "127.0.0.1";
        #   upstreamPort = 8000;
        #   logLevel = "debug";
        #   policies = {
        #     ubuntu-policy = {
        #       pathPrefix = "/john-ubuntu";
        #       principal = "spiffe://john-stream.com/ubuntu";
        #     };
        #     p14-policy = {
        #       pathPrefix = "/john-p14s";
        #       principal = "spiffe://john-stream.com/john-p14s";
        #     };
        #     gitea-policy = {
        #       pathPrefix = "/gitea";
        #       principal = "spiffe://john-stream.com/gitea";
        #     };
        #   };
        # };

        home-manager.users."${username}" = {
          imports = with inputs.self.modules; [
            homeManager"${hostname}"
          ];
        };
      }
    ];
  };

  flake.modules.homeManager."${hostname}" = { config, ... }: {
    imports = with inputs.self.modules; [
      homeManager.rebuild
      homeManager.mysops
      homeManager.mtls
    ];

    homeManagerFlakeDir = "${config.xdg.configHome}/home-manager";
    home.username = "${username}";
    home.homeDirectory = "/home/${username}";
    shell.program = "zsh";

    home.file.".step/config/defaults.json".text = builtins.toJSON {
      "ca-url" = "https://janus.john-stream.com/";
      fingerprint = "2036c44f7b5901566ff7611ea6c927291ecc6d2dd00779c0eead70ec77fa10d6";
      root = "${config.home.homeDirectory}/.step/certs/root_ca.crt";
    };

    mysops.hostSecretFile = "${config.xdg.configHome}/home-manager/modules/hosts/soteria/secrets.yaml";
    mtls = {
      enable = true;
      subject = hostname;
      caURL = "https://janus.john-stream.com/";
      san = [
        "${hostname}.john-stream.com"
        "192.168.1.142"
      ];
      renew.postCommands = [
        "docker restart envoy"
      ];
    };
  };

  flake.homeConfigurations."${hostname}" = inputs.home-manager.lib.homeManagerConfiguration {
    pkgs = import inputs.nixpkgs { system = "x86_64-linux"; };
    modules = with inputs.self.modules; [
      homeManager."${username}"
      homeManager."${hostname}"
    ];
  };
}