{ system ? builtins.currentSystem
, config ? { }
, pkgs ? import ../.. { inherit system config; }
, lib ? pkgs.lib
}:

with import ../lib/testing-python.nix { inherit system pkgs; };

let
  packages = with pkgs; {
    "default" = teleport;
    "15" = teleport_15;
  };

  minimal = package: {
    services.teleport = {
      enable = true;
      inherit package;
    };
  };

  client = package: {
    services.teleport = {
      enable = true;
      inherit package;
      settings = {
        teleport = {
          nodename = "client";
          advertise_ip = "192.168.1.20";
          auth_token = "8d1957b2-2ded-40e6-8297-d48156a898a9";
          auth_servers = [ "192.168.1.10:3025" ];
          log.severity = "DEBUG";
        };
        ssh_service = {
          enabled = true;
          labels = {
            role = "client";
          };
        };
        proxy_service.enabled = false;
        auth_service.enabled = false;
      };
    };
    networking.interfaces.eth1.ipv4.addresses = [{
      address = "192.168.1.20";
      prefixLength = 24;
    }];
  };

  server = package: {
    services.teleport = {
      enable = true;
      inherit package;
      settings = {
        teleport = {
          nodename = "server";
          advertise_ip = "192.168.1.10";
        };
        ssh_service.enabled = true;
        proxy_service.enabled = true;
        auth_service = {
          enabled = true;
          tokens = [ "node:8d1957b2-2ded-40e6-8297-d48156a898a9" ];
        };
      };
      diag.enable = true;
      insecure.enable = true;
    };
    networking = {
      firewall.allowedTCPPorts = [ 3025 ];
      interfaces.eth1.ipv4.addresses = [{
        address = "192.168.1.10";
        prefixLength = 24;
      }];
    };
  };
in
lib.concatMapAttrs
  (name: package: {
    "minimal_${name}" = makeTest {
      # minimal setup should always work
      name = "teleport-minimal-setup";
      meta.maintainers = with pkgs.lib.maintainers; [ justinas ];
      nodes.minimal = minimal package;

      testScript = ''
        minimal.wait_for_open_port(3025)
        minimal.wait_for_open_port(3080)
        minimal.wait_for_open_port(3022)
      '';
    };

    "basic_${name}" = makeTest {
      # basic server and client test
      name = "teleport-server-client";
      meta.maintainers = with pkgs.lib.maintainers; [ justinas ];
      nodes = {
        server = server package;
        client = client package;
      };

      testScript = ''
        with subtest("teleport ready"):
            server.wait_for_open_port(3025)
            client.wait_for_open_port(3022)

        with subtest("check applied configuration"):
            server.wait_until_succeeds("tctl get nodes --format=json | ${pkgs.jq}/bin/jq -e '.[] | select(.spec.hostname==\"client\") | .metadata.labels.role==\"client\"'")
            server.wait_for_open_port(3000)
            client.succeed("journalctl -u teleport.service --grep='DEBU'")
            server.succeed("journalctl -u teleport.service --grep='Starting teleport in insecure mode.'")
      '';
    };
  })
  packages