{
  makeScope,
  newScope,
  callPackage,
  writeShellScript,
  openssh,
  lib,
}:
let
  public_addresses = [
    "74.80.180.138"
  ];
  internal_addresses = [
    # nc0
    "10.215.1.221"
    "2620:11f:7001:7:ffff:ffff:0ad7:01dd"
    # nc1
    "10.215.1.222"
    "2620:11f:7001:7:ffff:ffff:0ad7:01de"
    # nc2
    "10.215.1.223"
    "2620:11f:7001:7:ffff:ffff:0ad7:01df"
    # nw0
    "10.215.1.224"
    "2620:11f:7001:7:ffff:ffff:0ad7:01e0"
    # nw1
    "10.215.1.225"
    "2620:11f:7001:7:ffff:ffff:0ad7:01e1"
    # nw2
    "10.215.1.226"
    "2620:11f:7001:7:ffff:ffff:0ad7:01e2"
  ];
  all_hostnames = [
    "10.197.0.1"
    "10.0.0.1"
    "127.0.0.1"
    "kubernetes"
    "kubernetes.default"
    "kubernetes.default.svc"
    "kubernetes.default.svc.cluster"
    "kubernetes.svc.cluster.local"
  ]
  ++ public_addresses
  ++ internal_addresses;
in
makeScope newScope (
  self:
  let
    additional_vars = {
      inherit all_hostnames;
      k8s = self;
    };
    deploy_key = (
      vm_name: file: ''
        ${openssh}/bin/ssh mrmanager rm -f /vm/${vm_name}/persist/keys/${builtins.baseNameOf file} ~/${builtins.baseNameOf file}
        ${openssh}/bin/scp ${file} mrmanager:~/${builtins.baseNameOf file}
        ${openssh}/bin/ssh mrmanager doas install -o 11235 -g 998 -m 0640 ~/${builtins.baseNameOf file} /vm/${vm_name}/persist/keys/${builtins.baseNameOf file}
        ${openssh}/bin/ssh mrmanager rm -f ~/${builtins.baseNameOf file}
        # chown to 11235:998 for talexander:etcd
      ''
    );
    deploy_machine = (
      vm_name:
      (
        ''
          ${openssh}/bin/ssh mrmanager doas install -d -o talexander -g talexander -m 0755 /vm/${vm_name}/persist/keys/
        ''
        + (lib.concatMapStringsSep "\n" (deploy_key vm_name) [
          "${self.kubernetes}/kubernetes.pem"
          "${self.kubernetes}/kubernetes-key.pem"
          "${self.ca}/ca.pem"
        ])
      )
    );
    deploy_script = (
      ''
        set -euo pipefail
        IFS=$'\n\t'
        DIR="$( cd "$( dirname "''${BASH_SOURCE[0]}" )" && pwd )"
      ''
      + (lib.concatMapStringsSep "\n" deploy_machine [
        "nc0"
        "nc1"
        "nc2"
      ])
    );
  in
  {
    ca = (callPackage ./package/k8s-ca/package.nix additional_vars);
    kubernetes = (callPackage ./package/k8s-kubernetes/package.nix additional_vars);
    keys = (callPackage ./package/k8s-keys/package.nix additional_vars);
    deploy_script = (writeShellScript "deploy-keys" deploy_script);
  }
)