{ config, pkgs, lib, lim, ... } :
let
  inherit (pkgs) serviceFns;
  svc = config.system.service;

in rec {
  imports = [
    ../modules/network
    ../modules/ssh
    ../modules/vlan
    ../modules/wlan.nix
    ../modules/hostapd
    ../modules/bridge

    ../modules/ext4fs.nix
    ../modules/tftpboot.nix
  ];

  rootfsType = "ext4";

  boot.tftp = {
    # IP addresses to use in the boot monitor when flashing/ booting
    # over TFTP. If you are flashing using the stock firmware's Web UI
    # then these dummy values are fine
    ipaddr = "10.0.0.8"; # my address
    serverip = "10.0.0.1"; # build machine or other tftp server
    loadAddress = lim.parseInt "0x40000800";
  };

  hostname = "omnia";

  services.hostap =
    let secrets = {
          ssid = "not-the-internet";
          channel = 4;
          wpa_passphrase = "diamond dogs";
        };
    in svc.hostapd.build {
      interface = config.hardware.networkInterfaces.wlan;
      params = {
        country_code = "GB";
        hw_mode = "g";
        wmm_enabled = 1;
        ieee80211n = 1;
        inherit (secrets) ssid channel wpa_passphrase;
        auth_algs = 1; # 1=wpa2, 2=wep, 3=both
        wpa = 2; # 1=wpa, 2=wpa2, 3=both
        wpa_key_mgmt = "WPA-PSK";
        wpa_pairwise = "TKIP CCMP"; # auth for wpa (may not need this?)
        rsn_pairwise = "CCMP"; # auth for wpa2
      };
    };

  services.hostap5 =
    let secrets = {
          ssid = "not-the-internet";
          channel = 36;
          wpa_passphrase = "diamond dogs";
        };
    in svc.hostapd.build {
      interface = config.hardware.networkInterfaces.wlan5;
      params = {
        country_code = "GB";
        hw_mode = "a";

        ht_capab = "[HT40+]";
        vht_oper_chwidth = 1;
        vht_oper_centr_freq_seg0_idx = secrets.channel + 6;
        ieee80211ac = 1;

        wmm_enabled = 1;
        inherit (secrets) ssid channel wpa_passphrase;
        auth_algs = 1; # 1=wpa2, 2=wep, 3=both
        wpa = 2; # 1=wpa, 2=wpa2, 3=both
        wpa_key_mgmt = "WPA-PSK";
        wpa_pairwise = "TKIP CCMP"; # auth for wpa (may not need this?)
        rsn_pairwise = "CCMP"; # auth for wpa2
      };
    };

  services.int = svc.bridge.primary.build {
    ifname = "int";
  };

  services.dhcpc = svc.network.dhcp.client.build {
    interface = services.int;
    dependencies = [ config.services.hostname ];
  };

  services.bridge = svc.bridge.members.build {
    primary = services.int;
    members = with config.hardware.networkInterfaces; [
      lan
      wlan
    ];
  };

  services.sshd = svc.ssh.build { };

  users.root = {
    # the password is "secret". Use mkpasswd -m sha512crypt to
    # create this hashed password string
    passwd = "$6$y7WZ5hM6l5nriLmo$5AJlmzQZ6WA.7uBC7S8L4o19ESR28Dg25v64/vDvvCN01Ms9QoHeGByj8lGlJ4/b.dbwR9Hq2KXurSnLigt1W1";
  };

  defaultProfile.packages = with pkgs; [
    figlet pciutils
  ];
}