let
  inherit (import ./sources.nix) defaultPkgs overlays;

  pkgs = import defaultPkgs { inherit overlays; };

  inherit (pkgs) lib;

  mkMachine = name:
    { tags, pkgs ? null }:
    { config, ... }: {
      _module.args = {
        machineName = "${name}.c8h4.io";
        my = import ./secrets/my.nix;
        inherit (config.deployment) secrets;
      };
      imports = [ (./machines + "/${name}.nix") ./modules ];
      nixpkgs.pkgs = lib.mkIf (pkgs != null) pkgs;
      deployment = {
        substituteOnDestination = true;
        inherit tags;
      };
    };

  machines = {
    back = { tags = [ "external" "server" "baremetal" ]; };
    fort = { tags = [ "external" "server" "vm" ]; };
    tank = {
      tags = [ "homelab" "server" "baremetal" ];
      pkgs = import defaultPkgs {
        inherit overlays;
        # https://nixos.wiki/wiki/Home-assistant#OpenSSL_1.1_is_marked_as_insecure.2C_refusing_to_evaluate
        config.permittedInsecurePackages = [ "openssl-1.1.1w" ];
      };
    };
    trek = { tags = [ "desktop" ]; };
    zero = { tags = [ "desktop" ]; };
  };
in {
  network = {
    inherit pkgs;
    description = "c8h4.io infrastructure";
  };
} // (builtins.mapAttrs mkMachine machines)