{ self
, utils
, nixpkgs
, nixpkgs-unstable
, nixos-generators
, sops-nix
, microvm
, ...
} @inputs:

# filter i686-liux from defaultSystem to run nix flake check successfully
let filter_system = name: if name == utils.lib.system.i686-linux then false else true;
in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems) ( system:
  let
    pkgs-unstable = nixpkgs-unstable.legacyPackages."${system}";
    pkgs = nixpkgs.legacyPackages."${system}";
  in
  {
    devShells.default =
    let
      sops = sops-nix.packages."${pkgs.system}";
      microvmpkg = microvm.packages."${pkgs.system}";
      installed = builtins.attrNames self.legacyPackages."${pkgs.system}".scripts;
    in
    pkgs.mkShell {
      sopsPGPKeyDirs = [
        "./machines/secrets/keys/hosts"
        "./machines/secrets/keys/users"
      ];
    
      nativeBuildInputs = [
        sops.ssh-to-pgp
        sops.sops-import-keys-hook
        sops.sops-init-gpg-key
        pkgs.sops
        pkgs.age
        pkgs.python310Packages.grip
        pkgs.mdbook
        microvmpkg.microvm
      ];
      packages = builtins.map (pkgName: self.legacyPackages."${pkgs.system}".scripts.${pkgName}) installed;
      shellHook = ''echo "Available scripts: ${builtins.concatStringsSep " " installed}"'';
    };
    legacyPackages = {
      scripts.remote-install = pkgs.writeShellScriptBin "remote-install" (builtins.readFile ./scripts/remote-install-encrypt.sh);
      scripts.boot-unlock = pkgs.writeShellScriptBin "boot-unlock" (builtins.readFile ./scripts/unlock-boot.sh);
    };
    packages = {
      docs = pkgs.stdenv.mkDerivation {
        name = "malobeo-docs";
        phases = [ "buildPhase" ];
        buildInputs = [ pkgs.mdbook ];
      
        inputs = pkgs.lib.sourceFilesBySuffices ./doc/. [ ".md" ".toml" ];
      
        buildPhase = ''
          dest=$out/share/doc
          mkdir -p $dest
          cp -r --no-preserve=all $inputs/* ./
          mdbook build
          ls
          cp -r ./book/* $dest
        '';
      };
    } //

    builtins.foldl'
    (result: host:
      let
        inherit (self.nixosConfigurations.${host}) config;
      in
      result // {
        # boot any machine in a microvm
        "${host}-vm" = (self.nixosConfigurations.${host}.extendModules {
          modules = [{
            microvm = {
              mem = pkgs.lib.mkForce 4096;
              hypervisor = pkgs.lib.mkForce "qemu";
              socket = pkgs.lib.mkForce null;
              shares = pkgs.lib.mkForce [{
                tag = "ro-store";
                source = "/nix/store";
                mountPoint = "/nix/.ro-store";
              }];
              interfaces = pkgs.lib.mkForce [{
                type = "user";
                id = "eth0";
                mac = "02:23:de:ad:be:ef";
              }];
            };
            boot.isContainer = pkgs.lib.mkForce false;
            users.users.root.password = "";
            fileSystems."/".fsType = pkgs.lib.mkForce "tmpfs";
            services.getty.helpLine = ''
              Log in as "root" with an empty password.
              Use "reboot" to shut qemu down.
            '';
          }] ++ pkgs.lib.optionals (! config ? microvm) [
            microvm.nixosModules.microvm
          ];
        }).config.microvm.declaredRunner;
    })
    { }
    (builtins.attrNames self.nixosConfigurations) //

    builtins.foldl'
    (result: host:
      let
        inherit (self.nixosConfigurations.${host}) config;
      in
      result // {
        # boot any machine in a microvm
        "${host}-vm-withsops" = (self.nixosConfigurations.${host}.extendModules {
          modules = [{
            sops.defaultSopsFile = pkgs.lib.mkForce ./machines/${host}/dummy.yaml;

            environment.etc = {
                devHostKey.source = ./machines/secrets/devkey_ed25519;
            };

            services.openssh.hostKeys = [{
              path = "/etc/devHostKey";
              type = "ed25519";
            }];

            microvm = {
              mem = pkgs.lib.mkForce 4096;
              hypervisor = pkgs.lib.mkForce "qemu";
              socket = pkgs.lib.mkForce null;
              shares = pkgs.lib.mkForce [
                {
                  tag = "ro-store";
                  source = "/nix/store";
                  mountPoint = "/nix/.ro-store";
                }
              ];
            };
            boot.isContainer = pkgs.lib.mkForce false;
            users.users.root.password = "";
            fileSystems."/".fsType = pkgs.lib.mkForce "tmpfs";
            services.getty.helpLine = ''
              Log in as "root" with an empty password.
              Use "reboot" to shut qemu down.
            '';
          }] ++ pkgs.lib.optionals (! config ? microvm) [
            microvm.nixosModules.microvm
          ];
        }).config.microvm.declaredRunner;
    })
    { }
    (builtins.attrNames self.nixosConfigurations);

    apps = {
      docs = {
        type = "app";
        program = builtins.toString (pkgs.writeShellScript "docs" ''
          ${pkgs.mdbook}/bin/mdbook serve --open ./doc
        '');
      };
    };

  })) // rec {
    nixosConfigurations = import ./machines/configuration.nix (inputs // {
      inherit inputs;
      self = self;
    });

    nixosModules.malobeo = {
      host.imports = [ ./machines/durruti/host_config.nix ];
      microvm.imports = [ ./machines/modules/malobeo/microvm_host.nix ];
      vpn.imports = [ ./machines/modules/malobeo/wireguard.nix ];
      initssh.imports = [ ./machines/modules/malobeo/initssh.nix ];
      disko.imports = [ ./machines/modules/disko ];
    };

    hydraJobs = nixpkgs.lib.mapAttrs (_: nixpkgs.lib.hydraJob) (
      let
        getBuildEntry = name: nixosSystem:
          if (nixpkgs.lib.hasPrefix "sdImage" name) then
              nixosSystem.config.system.build.sdImage
          else
            nixosSystem.config.system.build.toplevel;
      in
      nixpkgs.lib.mapAttrs getBuildEntry self.nixosConfigurations

      );
}