{ lib, ... }:

let
  inherit (lib) mkDefault mkForce;
in

{
  _class = "nixops4Resource";

  # NOTE: This needs an SSH config entry `forgejo-ci` to locate and access the
  # machine. This is because different people access the machine in different
  # way (eg. via a proxy vs. via Procolix's VPN). This might look like:
  #
  #     Host forgejo-ci
  #          HostName 45.142.234.216
  #          HostKeyAlias forgejo-ci
  #
  # The `HostKeyAlias` statement is crucial. Without it, deployment will fail
  # with the SSH error “Host key verification failed”.
  ssh.host = mkForce "forgejo-ci";

  fediversityVm = {
    name = "forgejo-ci";
    domain = "procolix.com";
    isFediversityVm = false;

    ipv4 = {
      interface = "enp1s0f0";
      address = "192.168.201.65";
      prefixLength = 24;
      gateway = "192.168.201.1";
    };
    ipv6.enable = false;
  };

  nixos.module =
    { config, ... }:
    {
      _class = "nixos";

      imports = [
        ./forgejo-actions-runner.nix
      ];

      hardware.cpu.intel.updateMicrocode = mkDefault config.hardware.enableRedistributableFirmware;

      networking = {
        nftables.enable = mkForce false;
        hostId = "1d6ea552";
      };

      ## NOTE: This is a physical machine, so is not covered by disko
      fileSystems."/" = lib.mkForce {
        device = "rpool/root";
        fsType = "zfs";
      };

      fileSystems."/home" = {
        device = "rpool/home";
        fsType = "zfs";
      };

      fileSystems."/boot" = lib.mkForce {
        device = "/dev/disk/by-uuid/50B2-DD3F";
        fsType = "vfat";
        options = [
          "fmask=0077"
          "dmask=0077"
        ];
      };
    };
}