{ config, lib, pkgs, ... }:

{
  imports =
    [
      ./hardware-configuration.nix
      ./disko-config.nix
    ];

  boot = {
    # Lanzaboote currently replaces the systemd-boot module.
    loader.systemd-boot.enable = lib.mkForce false;
    loader.efi.canTouchEfiVariables = true;
    bootspec.enable = true;
    lanzaboote = {
      enable = true;
      pkiBundle = "/etc/secureboot";
      # This will be the new location in unstable
      # pkiBundle = "/var/lib/sbctl";
    };
    initrd.systemd.enable = true;
    # Name "crypted" corresponds to the luks name in disko config
    initrd.luks.devices.crypted = {
      device = lib.mkForce "/dev/disk/by-uuid/26973b85-9c65-488b-93fb-8992ea0f8d50";
      crypttabExtraOpts = [ "tpm2-device=auto" ];
    };
    # Required for subnet route advertising in Tailscale
    kernel.sysctl."net.ipv4.ip_forward" = 1;
    # Required for ZFS, see https://openzfs.github.io/openzfs-docs/Getting%20Started/NixOS/index.html
    supportedFilesystems = [ "zfs" ];
    zfs = {
      extraPools = ["storage"];
      forceImportRoot = false;
    };
  };

  networking = {
    hostName = "dalinar";
    nftables.enable = true;
    firewall = {
      enable = true;
      allowedUDPPorts = [ 53 ];
      allowedTCPPorts = [ 80 443];
    };
    # head -c4 /dev/urandom | od -A none -t x4
    # Required for ZFS, see https://openzfs.github.io/openzfs-docs/Getting%20Started/NixOS/index.html
    hostId = "0c2ce418";
    useNetworkd = true;
  };

  services.resolved = {
    enable = true;
    # Unbound is running
    extraConfig = ''
      DNSStubListener=no
    '';
  };

  time.timeZone = "Europe/Berlin";

  sops.defaultSopsFile = ./secrets.yaml;
  sops.age.sshKeyPaths = [];
  sops.age.keyFile = "/etc/age/keys.txt";
  sops.secrets."miniflux/ADMIN_USERNAME" = { };
  sops.secrets."miniflux/ADMIN_PASSWORD" = { };
  sops.templates."miniflux-admin-credentials".content = ''
    ADMIN_USERNAME=${config.sops.placeholder."miniflux/ADMIN_USERNAME"}
    ADMIN_PASSWORD=${config.sops.placeholder."miniflux/ADMIN_PASSWORD"}
  '';
  sops.secrets."caddy/ionos_dns_api_key" = { };
  sops.templates."caddy-global-conf".content = ''
    IONOS_API_KEY=${config.sops.placeholder."caddy/ionos_dns_api_key"}
  '';


  i18n.defaultLocale = "en_US.UTF-8";
   console = {
     font = "Lat2-Terminus16";
     keyMap = "de";
  };

  users.mutableUsers = false;
  # mkpasswd -m sha512crypt <password>
  users.users.root.hashedPassword = "$6$JdgM.TQt0/0988od$yPVgGZ5zu6HjG.sVjzEWJBm4L7XEReuplrqLRekPq/GrAyk5GrFmPM9hdzrmD28PDX9AtxaClYM5emsJ75YfJ0";

  environment.systemPackages = with pkgs; [
    ethtool
    htop
    sbctl
    tmux
    vim
    wget
    zfs
  ];

  powerManagement.powertop.enable = true;
  programs.neovim.enable = true;

  services.tailscale.enable = true;
  services.networkd-dispatcher = {
    enable = true;
    rules."50-tailscale" = {
      onState = ["routable"];
      script = ''
        ${pkgs.ethtool}/bin/ethtool -K eno1 rx-udp-gro-forwarding on rx-gro-list off
      '';
    };
  };

  services.zfs.autoScrub.enable = true;

  services.unbound = {
    enable = true;
    settings = {
      server = {
        interface = [ "127.0.0.1" ];
        port = 5335;
        access-control = [ "127.0.0.1 allow" ];
        harden-glue = true;
        num-threads = 4;
        harden-dnssec-stripped = true;
        use-caps-for-id = false;
        prefetch = true;
        edns-buffer-size = 1232;
        hide-identity = true;
        hide-version = true;
        private-address = [
          "172.16.0.0/12"
        ];
      };
      forward-zone = [
        {
          name = ".";
          forward-addr = [
            "9.9.9.9#dns.quad9.net"
            "149.112.112.112#dns.quad9.net"
          ];
          forward-tls-upstream = true;
        }
      ];
    };
  };

  services.blocky = {
    enable = true;
    settings = {
      upstreams.groups.default = [
        "127.0.0.1:${toString config.services.unbound.settings.server.port}"
      ];
      blocking = {
        denylists.ads = [
            "https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts"
        ];
        clientGroupsBlock.default = [ "ads" ];
      };
      customDNS = {
        mapping = {
          # This mapping is recursive so foo.dalinar.home.johannes-rothe.de also resolves
          "dalinar.home.johannes-rothe.de" = "172.16.0.2";
          "base.home.johannes-rothe.de" = "172.16.0.3";
        };
      };
      ports = {
        dns = 53;
        http = 4000; # port for prometheus metrics
      };
      prometheus = {
        enable = true;
        path = "/metrics";
      };
      queryLog.type = "none";
    };
  };

  services.immich = {
    enable = true;
    host = "0.0.0.0";
    openFirewall = true;
    machine-learning.enable = false;
    # TODO set data dir
  };

  services.prometheus = {
    enable = true;
    retentionTime = "60d";
    globalConfig.scrape_interval = "15s";
    scrapeConfigs = [
      {
        job_name = "node";
        static_configs = [{
          targets = [ "localhost:${toString config.services.prometheus.exporters.node.port}" ];
        }];
      }
      {
        job_name = "blocky";
        static_configs = [{
          targets = [ "localhost:${toString config.services.blocky.settings.ports.http}" ];
        }];
      }
    ];
    exporters.node = {
      enable = true;
      enabledCollectors = [
        "systemd"
      ];
      disabledCollectors = [
        "textfile"
      ];
      port = 9100;
    };
  };

  services.grafana = {
    enable = true;
    settings = {
      server = {
        http_addr = "0.0.0.0";
        http_port = 3000;
        domain = "dalinar";
      };
    };
  };

  services.miniflux = {
    enable = true;
    adminCredentialsFile = config.sops.templates."miniflux-admin-credentials".path;
  };

  services.caddy = {
    enable = true;
    environmentFile = config.sops.templates."caddy-global-conf".path;
    globalConfig = ''
    acme_dns ionos {$IONOS_API_KEY}
    '';
    logFormat = lib.mkForce "level INFO";
    # Use my custom build to integrate the ionos DNS challenge plugin
    package = pkgs.callPackage ../../packages/caddy {};
    virtualHosts = {
      "https://grafana.dalinar.home.johannes-rothe.de" = {
        extraConfig = ''
          reverse_proxy localhost:${builtins.toString config.services.grafana.settings.server.http_port}
        '';
      };
      "https://prometheus.dalinar.home.johannes-rothe.de" = {
        extraConfig = ''
          reverse_proxy localhost:${builtins.toString config.services.prometheus.port}
        '';
      };
      "https://feeds.dalinar.home.johannes-rothe.de" = {
        extraConfig = ''
          reverse_proxy localhost:8080
        '';
      };
    };
  };

  # This option defines the first version of NixOS you have installed on this particular machine,
  # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.
  #
  # Most users should NEVER change this value after the initial install, for any reason,
  # even if you've upgraded your system to a new NixOS release.
  #
  # This value does NOT affect the Nixpkgs version your packages and OS are pulled from,
  # so changing it will NOT upgrade your system - see https://nixos.org/manual/nixos/stable/#sec-upgrading for how
  # to actually do that.
  #
  # This value being lower than the current NixOS release does NOT mean your system is
  # out of date, out of support, or vulnerable.
  #
  # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration,
  # and migrated your data accordingly.
  #
  # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion .
  system.stateVersion = "24.11"; # Did you read the comment?

}