{ testers, config, extendModules, lib, system }:

let
  lift = config;

  snakeoil = {
    ssh = {
      public = lib.fileContents ./snakeoil/ssh/snakeoil-key.pub;
      private = ./snakeoil/ssh/snakeoil-key;
    };
    wireguard = {
      public = lib.genAttrs nodes (node: lib.fileContents ./snakeoil/wireguard/public-key-${toString digits.${node}});
      private = lib.genAttrs nodes (node: ./snakeoil/wireguard/private-key-${toString digits.${node}});
    };
  };

  nodes = lib.attrNames config.gods.fromLight;
  digits = lib.attrsets.listToAttrs (lib.zipListsWith lib.nameValuePair nodes (lib.range 1 255));
  depot' = extendModules {
    modules = [
      ({ config, ... }: {
        gods.fromLight = lib.mapAttrs (name: cfg: {
          interfaces.primary = {
            link = lib.mkForce "vprimary";
          };
          ssh.id.publicKey = lib.mkForce snakeoil.ssh.public;
        }) lift.gods.fromLight;

        cluster = lib.mkForce (lift.cluster.extendModules {
          specialArgs.depot = config;
          modules = [
            {
              hostLinks = lib.genAttrs nodes (node: {
                mesh.extra = lib.mkForce (lift.cluster.config.hostLinks.${node}.mesh.extra // {
                  pubKey = snakeoil.wireguard.public.${node};
                });
              });
            }
          ];
        });
      })
    ];
  };
  specialArgs = depot'.config.lib.summon system lib.id;
in

testers.runNixOSTest {
  name = "simulacrum";

  node = { inherit specialArgs; };
  nodes = lib.genAttrs nodes (node: let
    hour = depot'.config.hours.${node};
  in {
    imports = [
      specialArgs.depot.hours.${node}.nixos
      ./modules/nixos/age-dummy-secrets
      ./modules/nixos/external-storage.nix
    ] ++ depot'.config.cluster.config.out.injectNixosConfigForServices [ "consul" "certificates" "nginx" "wireguard" "frangiclave" ] node;

    boot.kernel.sysctl."net.ipv4.ip_forward" = "1";
    networking = {
      interfaces = {
        ${hour.interfaces.primary.link} = {
          useDHCP = lib.mkForce false;
          virtual = true;
          ipv4.addresses = lib.mkForce [
            {
              address = hour.interfaces.primary.addr;
              prefixLength = 32;
            }
          ];
        };
        eth1.ipv4.routes = lib.pipe nodes [
          (lib.filter (n: n != node))
          (map (n: let
            hour = depot'.config.hours.${n};
          in {
            address = hour.interfaces.primary.addrPublic;
            prefixLength = 32;
            via = "192.168.1.${toString digits.${n}}";
          }))
        ];
      };

      firewall.extraCommands = lib.mkAfter (lib.optionalString (hour.interfaces.primary.isNat) ''
        # self-nat
        iptables -t nat -A PREROUTING -d ${hour.interfaces.primary.addrPublic} -j DNAT --to-destination ${hour.interfaces.primary.addr}
        iptables -t nat -A POSTROUTING -s ${hour.interfaces.primary.addr} -j SNAT --to-source ${hour.interfaces.primary.addrPublic}
      '');
    };

    systemd.services = {
      hyprspace.enable = false;
      cachix-agent.enable = false;
    };

    environment.etc = {
      "ssh/ssh_host_ed25519_key" = {
        source = snakeoil.ssh.private;
        mode = "0400";
      };
      "dummy-secrets/cluster-wireguard-meshPrivateKey".source = lib.mkForce snakeoil.wireguard.private.${node};
      "dummy-secrets/grafana-agent-blackbox-secret-monitoring".text = lib.mkForce ''
        SECRET_MONITORING_BLACKBOX_TARGET_1_NAME=example-external-service
        SECRET_MONITORING_BLACKBOX_TARGET_1_MODULE=http2xx
        SECRET_MONITORING_BLACKBOX_TARGET_1_ADDRESS=http://127.0.0.1:1
      '';
      "dummy-secrets/garageRpcSecret".text = lib.mkForce "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa";
    };
    virtualisation = {
      cores = 2;
      memorySize = 4096;
    };
  });

  testScript = ''
    grail.succeed("false")
  '';
}