{ config, lib, ... }:
let
  mac = "02:00:00:00:00:07";
in
{
  imports = [
  ];
  # sops.defaultSopsFile = ./secrets.yaml;
  # sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
  # 
  # sops.secrets = {
  #   "wg/0xa-proxy" = {
  #     owner = config.users.users.systemd-network.name;
  #   };
  # };

  microvm = {
    hypervisor = "qemu";
    mem = 4 * 1024;
    vcpu = 3;
    interfaces = [
      {
        type = "tap";
        id = "uvm-stream";
        mac = mac;
      }
    ];
    shares =
      [
        {
          source = "/nix/store";
          mountPoint = "/nix/.ro-store";
          tag = "store";
          proto = "virtiofs";
        }
      ]
      ++ map
        (dir: {
          source = dir;
          mountPoint = "/${dir}";
          tag = dir;
          proto = "virtiofs";
        })
        [
          "etc"
          "var"
          "home"
        ];
  };

  networking.useNetworkd = true;
  networking.firewall.enable = lib.mkForce false; # firewalling done by the host

  systemd.network = {
    enable = true;
    networks."11-host" = {
      matchConfig.MACAddress = mac;
      networkConfig = {
        Address = "10.99.99.17/24";
        DHCP = "no";
      };
      routes = [
        {
          Gateway = "10.99.99.1";
          Destination = "0.0.0.0/0";
          Metric = 1024;
        }
      ];
    };
  };

  networking.hostName = "stream";
  system.stateVersion = "25.05";
}