{ flake, ... }:

{
  sops = {
    secrets = {
      "vms/m1/services/openssh/key/ed25519" = {};
      "vms/m1/services/openssh/key/rsa" = {};
      "vms/w1/services/openssh/key/ed25519" = {};
      "vms/w1/services/openssh/key/rsa" = {};
    };
  };

  systemd.tmpfiles.rules = [
    "d /etc/microvms/m1/ssh/ 0755 root root - -"
    "d /etc/microvms/w1/ssh/ 0755 root root - -"
  ];

  systemd.network.networks."10-lan".matchConfig.Name = ["vm-*-01"];
  systemd.network.networks."20-storage".matchConfig.Name = ["vm-*-02"];

  systemd.services = {
    "microvm@m1" = {
      unitConfig = {
        AssertPathExists = "/run/secrets/vms/m1/services/openssh/key/ed25519";
        AssertFileNotEmpty = "/run/secrets/vms/m1/services/openssh/key/ed25519";
      };
    };
    "microvm@w1" = {
      unitConfig = {
        AssertPathExists = "/run/secrets/vms/w1/services/openssh/key/ed25519";
        AssertFileNotEmpty = "/run/secrets/vms/w1/services/openssh/key/ed25519";
      };
    };
  };

  microvm = {
    vms = {
      m1 = {
        flake = flake;
        updateFlake = "git+https://code.beancloud.de/beancloud/datacenter.git?ref=master";
        restartIfChanged = true;
      };
      w1 = {
        flake = flake;
        updateFlake = "git+https://code.beancloud.de/beancloud/datacenter.git?ref=master";
        restartIfChanged = true;
      };
    };
    autostart = [ "m1" "w1" ];
  };
}