{ config, pkgs, lib, ... }:

{
  imports =
    [
      ./hardware-configuration.nix
    ];

  profiles.clerie.mercury-vm.enable = true;

  boot.loader.grub.enable = true;
  boot.loader.grub.device = "/dev/vda";

  networking.useDHCP = false;
  # VM Nat Netz mercury
  networking.interfaces.ens18.ipv4.addresses = [ { address = "192.168.10.27"; prefixLength = 24; } ];
  # Ildix
  networking.interfaces.ens19.ipv6.addresses = [ { address = "fd81:edb3:71d8:ffff::13"; prefixLength = 64; } ];
  # Route to dn42-ildix-service
  networking.interfaces.ens19.ipv6.routes = [ { address = "fd81:edb3:71d8::"; prefixLength = 48; via = "fd81:edb3:71d8:ffff:2953::1"; } ];

  # public address
  networking.interfaces.ens20.ipv6.addresses = [ { address = "2001:638:904:ffcb::4"; prefixLength = 64; } ];

  networking.defaultGateway6 = { address = "2001:638:904:ffcb::1"; interface = "ens20"; };
  networking.defaultGateway = { address = "192.168.10.1"; interface = "ens18"; };

  # Open Firewall for BGP
  networking.firewall.allowedTCPPorts = [ 179 ];
  # Open Fireall for OSPF
  networking.firewall.extraCommands = ''
  ip6tables -A INPUT -p ospfigp -j ACCEPT
  iptables -A INPUT -p ospfigp -j ACCEPT
  '';

  services.bird.enable = true;
  services.bird.package = pkgs.bird2;
  services.bird.config = ''
  router id ${ (lib.head config.networking.interfaces.ens18.ipv4.addresses).address };

  protocol direct {
    interface "ens19";
    ipv6 {
      table master6;
    };
  }

  roa6 table r6;

  protocol rpki {
    debug all;

    roa6 { table r6; };

    remote fd81:edb3:71d8:ffff::20 port 8282;

    retry keep 5;
    refresh keep 30;
    expire 600;
  }


  filter import_dn42 {
    if (roa_check(r6, net, bgp_path.last) = ROA_INVALID) then reject;
    if net ~ [fd81:edb3:71d8::/48{48,128}] then reject;
    if net ~ [fd00::/8{8,64}] then accept;
    reject;
  }

  filter export_dn42 {
    if net ~ [fd81:edb3:71d8:ffff::/64{64,128}] then reject;
    if net ~ [fd00::/8{8,64}] then accept;
    reject;
  }

  template bgp bgp_peer {
    local as 4242422953;
    graceful restart on;
    rs client;
    source address fd81:edb3:71d8:ffff::13;
    ipv6 {
      table master6;
      next hop keep;
      import keep filtered;
      import filter import_dn42;
      export filter export_dn42;
    };
  }

  protocol bgp peer_1307_max_dn42_1 from bgp_peer {
    neighbor fd81:edb3:71d8:ffff:1307::1 as 4242421307;
  }

  protocol bgp peer_3012_dn42_c_1 from bgp_peer {
    neighbor fd81:edb3:71d8:ffff:3012::2 as 4242423012;
  }

  protocol bgp peer_3012_dn42_c_2 from bgp_peer {
    neighbor fd81:edb3:71d8:ffff:3012::3 as 4242423012;
  }

  protocol bgp peer_2574_dn42_il_gw5 from bgp_peer {
    neighbor fd81:edb3:71d8:ffff:2574::5 as 4242422574;
  }

  protocol bgp peer_2574_dn42_il_gw6 from bgp_peer {
    neighbor fd81:edb3:71d8:ffff:2574::6 as 4242422574;
  }

  protocol bgp peer_3929_v0tti_dn42 from bgp_peer {
    neighbor fd81:edb3:71d8:ffff:3929::1 as 4242423929;
  }

  protocol bgp peer_2619_frainz_dn42 from bgp_peer {
    neighbor fd81:edb3:71d8:ffff:2619::1 as 4242422619;
  }

  # Internal
  protocol bgp peer_2953_dn42_ildix_service {
    local as 4242422953;
    neighbor fd81:edb3:71d8:ffff:2953::1 port 1179 as 4242422953;
    source address fd81:edb3:71d8:ffff::13;
    multihop 64;
    rr client;
    ipv6 {
      table master6;
      next hop keep;
      add paths tx;
      import filter {
        reject;
      };
      export filter {
        accept;
      };
    };
  }

  protocol device {
    scan time 10;
  }
  '';

  clerie.system-auto-upgrade = {
    allowReboot = true;
    autoUpgrade = true;
  };

  clerie.monitoring = {
    enable = true;
    id = "399";
    pubkey = "K7NkCFKSnMIgC0D5wejSpty56AYacfxE+feMsfWtHSo=";
    bird = true;
  };

  system.stateVersion = "21.03";
}