locals {
  vm_domain = "abundos.eu"
  # user-facing applications
  application_configs = {
    # FIXME: wrap applications at the interface to grab them in one go?
    mastodon = {
      cfg = var.mastodon
      hostname = "test06"
    }
    pixelfed = {
      cfg = var.pixelfed
      hostname = "test04"
    }
    peertube = {
      cfg = var.peertube
      hostname = "test05"
    }
  }
  # services shared between applications
  peripherals = { for name, inst in {
    garage = "test01"
  } : name => {
      hostname = inst
      cfg = {
        # enable if any user applications are enabled
        enable = anytrue([for _, app in local.application_configs: try(app.cfg.enable, false)])
      }
    }
  }
}

module "nixos" {
  source = "../sync-nix"

  vm_domain = local.vm_domain
  hostname = each.value.hostname
  config_nix = each.value.config_nix
  config_tf = each.value.config_tf

  for_each = {for name, inst in merge(
    local.peripherals,
    local.application_configs,
  ) : name => merge(inst, {
    config_tf = {
      terraform = {
        domain = var.domain
        hostname = inst.hostname
        initialUser = var.initialUser
      }
    }
    config_nix = <<-EOF
      {
        # note interpolations here TF ones
        imports = [
          # shared NixOS config
          ${path.root}/../common/shared.nix
          # FIXME: separate template options by service
          ${path.root}/options.nix
          # for service `mastodon` import `mastodon.nix`
          ${path.root}/../../machines/operator/${inst.hostname}/${name}.nix
          # FIXME: get VM details from TF
          ${path.root}/../../machines/operator/${inst.hostname}
        ];
        ## FIXME: switch root authentication to users with password-less sudo, see #24
        users.users.root.openssh.authorizedKeys.keys = let
          keys = import ../../keys;
        in [
          # allow our panel vm access to the test machines
          keys.panel
        ];
      }
    EOF
  }) if try(inst.cfg.enable, false)}
}