{ config, lib, ... }:

{
  boot.isContainer = true;

  # XXX: There's currently no way to remove the "problematic" entries (trying
  # to override the /proc, /sys, /dev, ... mounts from systemd-nspawn) while
  # also keeping the entry for the wrappers dir.
  boot.specialFileSystems = lib.mkForce {
    "/run/wrappers" = {
      fsType = "tmpfs";
      options = [ "nodev" "mode=755" "size=${config.security.wrapperDirSize}" ];
    };
  };

  boot.loader.initScript.enable = true;

  networking = {
    useNetworkd = true;
    useHostResolvConf = false;

    hostName = "bagel-box";
    nameservers = [ "2001:4860:4860::8844" ];

    interfaces.host0.ipv6.addresses = [
      { address = "2001:bc8:38ee:100:100::1"; prefixLength = 64; }
    ];

    firewall.allowPing = true;
  };

  services.openssh.enable = true;
  users.users.root.openssh.authorizedKeys.keys = [
    # delroth
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII3tjB4KYDok3KlWxdBp/yEmqhhmybd+w0VO4xUwLKKV"
    # raito
    "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcEkYM1r8QVNM/G5CxJInEdoBCWjEHHDdHlzDYNSUIdHHsn04QY+XI67AdMCm8w30GZnLUIj5RiJEWXREUApby0GrfxGGcy8otforygfgtmuUKAUEHdU2MMwrQI7RtTZ8oQ0USRGuqvmegxz3l5caVU7qGvBllJ4NUHXrkZSja2/51vq80RF4MKkDGiz7xUTixI2UcBwQBCA/kQedKV9G28EH+1XfvePqmMivZjl+7VyHsgUVj9eRGA1XWFw59UPZG8a7VkxO/Eb3K9NF297HUAcFMcbY6cPFi9AaBgu3VC4eetDnoN/+xT1owiHi7BReQhGAy/6cdf7C/my5ehZwD"
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE0xMwWedkKosax9+7D2OlnMxFL/eV4CvFZLsbLptpXr"
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKiXXYkhRh+s7ixZ8rvG8ntIqd6FELQ9hh7HoaHQJRPU"
    "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJFsZ7PMDt80tYXHyScQajNhqH4wuYg/o0OxfOHaZD4rXuT0VIKflKH1M9LslfHWIEH3XNeqhQOziH9r+Ny5JcM="

  ];

  deployment.targetHost = "2001:bc8:38ee:100:100::1";
}