{ config, lib, ... }:

with lib;

let
  containerConfig = config.containers.printing.config;
in {
  config = {
    containers.printing = {
      privateNetwork = true;
      ephemeral = true;
      autoStart = true;
      hostAddress = "10.141.5.0";
      hostAddress6 = "2a03:4000:52:ada:5::";
      localAddress = "10.141.5.1";
      localAddress6 = "2a03:4000:52:ada:5::1";
      interfaces = [ "printer" ];
      config = let
        hostConfig = config;
      in { ... }: {
        config = {
          services = {
            kea = {
              dhcp4 = {
                enable = true;
                settings = {
                  valid-lifetime = 4000;
                  rebind-timer = 2000;
                  renew-timer = 1000;

                  interfaces-config = {
                    interfaces = [ "printer" ];
                  };

                  lease-database = {
                    name = "/var/lib/kea/dhcp4.leases";
                    persist = true;
                    type = "memfile";
                  };

                  subnet4 = [
                    { subnet = "10.141.3.0/24";
                      option-data = [
                        { name = "domain-name-servers";
                          data = "10.141.5.0";
                        }
                        { name = "ntp-servers";
                          data = "10.141.5.0";
                        }
                        { name = "broadcast-address";
                          data = "10.141.3.255";
                        }
                        { name = "routers";
                          data = "10.141.3.1";
                        }
                        { name = "domain-name";
                          data = "yggdrasil";
                        }
                        { name = "domain-search";
                          data = "printer.yggdrasil, yggdrasil";
                        }
                      ];
                      pools = [ { pool = "10.141.3.128 - 10.141.3.254"; } ];
                      reservations = [
                        { hostname = "printer";
                          hw-address = "30:cd:a7:b0:55:8d";
                          ip-address = "10.141.3.2";
                        }
                      ];
                    }
                  ];
                };
              };
            };

            printing = {
              enable = true;
              listenAddresses = [
                "*:631"
              ];
              logLevel = "all";
              extraConf = mkForce ''
                ServerName printing
                ServerAlias 10.141.5.1 2a03:4000:52:ada:5::1 printing.vidhar.yggdrasil printing.vidhar.lan.yggdrasil

                DefaultEncryption Never

                <Location />
                  Order allow,deny
                  Allow from 10.0.0.0/8
                  Satisfy any
                </Location>

                <Location /admin>
                  Order allow,deny
                  Allow from 10.0.0.0/8
                  Satisfy any
                </Location>

                <Location /admin/conf>
                  Order allow,deny
                  Allow from 10.0.0.0/8
                  Satisfy any
                </Location>

                <Policy default>
                  <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job CUPS-Move-Job>
                    Order allow,deny
                    Allow from 10.0.0.0/8
                    Satisfy any
                  </Limit>

                  <Limit Pause-Printer Resume-Printer Set-Printer-Attributes Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After CUPS-Add-Printer CUPS-Delete-Printer CUPS-Add-Class CUPS-Delete-Class CUPS-Accept-Jobs CUPS-Reject-Jobs CUPS-Set-Default>
                    Order allow,deny
                    Allow from 10.0.0.0/8
                    Satisfy any
                  </Limit>

                  <Limit Cancel-Job CUPS-Authenticate-Job>
                    Order allow,deny
                    Allow from 10.0.0.0/8
                    Satisfy any
                  </Limit>

                  <Limit All>
                    Order allow,deny
                    Allow from 10.0.0.0/8
                    Satisfy any
                  </Limit>
                </Policy>
              '';
            };

            resolved.enable = false;
          };

          networking = {
            firewall.enable = false;
            nftables = {
              enable = true;
              rulesetFile = ./ruleset.nft;
            };

            useDHCP = false;
            useNetworkd = true;

            interfaces."printer" = {
              ipv4.addresses = [
                { address = "10.141.3.1"; prefixLength = 24; }
              ];
            };
          };

          environment.etc."resolv.conf".text = ''
            nameserver ${hostConfig.containers.printing.hostAddress6}
          '';

          system.stateVersion = hostConfig.system.stateVersion;
        };
      };
    };

    networking = {
      vlans.printer = {
        id = 5;
        interface = "eno2";
      };
    };
  };
}