# Edit this configuration file to define what should be installed on
# your system.  Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running ‘nixos-help’).

{ config, pkgs, ... }:

{
  imports =
    [ # Include the results of the hardware scan.
      ./hardware-configuration.nix
      #./amanuensis.nix
      ./catacomb.nix
      ./gitea.nix
      ./sync-pipeline.nix
    ];

  beatific.hostName = "empyrean";
  beatific.isLighthouse = true;
  beatific.defaults.tvbSync = true;

  # Use the GRUB 2 boot loader.
  boot.loader.grub = {
    enable = true;
    device = "/dev/xvda";
    extraConfig = "serial --unit=0 --speed=115200 ; terminal_input serial console ; terminal_output serial console";
  };
  boot.kernelParams = ["console=ttyS0"];

  nix = {
    package = pkgs.nixFlakes;
    settings.max-jobs = 2;
  };

  swapDevices = [ { device = "/swap"; size = 1024; } ];

  # The global useDHCP flag is deprecated, therefore explicitly set to false here.
  # Per-interface useDHCP will be mandatory in the future, so this generated config
  # replicates the default behaviour.
  networking.useDHCP = false;
  networking.interfaces.eth0.useDHCP = true;

  environment.systemPackages = with pkgs; [
    tinc_pre
    gitea
  ];

  services.nginx = let
    static-site = srv-dir: {
      enableACME = true;
      forceSSL = true;
      root = "/srv/${srv-dir}/";
      extraConfig = ''
        access_log /var/log/nginx/access_${srv-dir}.log;
        index index.html;
      '';
    };
    service-stub = {
      rejectSSL = true;
      locations."/".return = "403";
    };
  in {
    enable = true;
    recommendedProxySettings = true;
    virtualHosts = {
      # Static pages
      "home.ktvb.site" = static-site "home.ktvb.site";
      "wedding.ktvb.site" = static-site "wedding.ktvb.site";
      "www.ktvb.site" = static-site "www.ktvb.site";
      "www.alogoulogoi.com" = static-site "www.alogoulogoi.com";
      "ecumene.alogoulogoi.com" = static-site "ecumene.alogoulogoi.com";
      # Home service stub domains
      "mopidy.home.ktvb.site" = service-stub;
      "jellyfin.home.ktvb.site" = service-stub;
      # mirror revproxy
      "mirror.alogoulogoi.com" = {
        enableACME = true;
        forceSSL = true;
        extraConfig = ''
          access_log /var/log/nginx/access_mirror.alogoulogoi.com.log;
        '';
        locations."/".proxyPass = "http://mirror.backyard.home:7474/";
      };
      # Deny all other subdomains
      "alogoulogoi.com" = {
        default = true;
        rejectSSL = true;
        locations."/".return = "444";
      };
    };
  };
  security.acme = {
    defaults.email = "tim.vanbaak+alogoulogoi@gmail.com";
    acceptTerms = true;
  };

  services.openssh = {
    settings.PasswordAuthentication = false;
    settings.PermitRootLogin = "prohibit-password";
  };

  services.tinc.networks.beatific = {
    listenAddress = "0.0.0.0";
    chroot = false;
  };

  services.intake = {
    listen = { addr = "10.22.20.1"; };
    users.tvb.enable = true;
    users.tvb.extraPackages = [ pkgs.intakeSources pkgs.openssh ];
  };

  networking.firewall = {
    enable = true;
    allowedTCPPorts = [
      80  # http
      443 # https
      655 # tinc
    ];
    allowedUDPPorts = [
      655 # tinc
    ];
  };

  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions
  # on your system were taken. It‘s perfectly fine and recommended to leave
  # this value at the release version of the first install of this system.
  # Before changing this value read the documentation for this option
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
  system.stateVersion = "23.05"; # Did you read the comment?

}