{ pkgs, ... }:

{
  imports = [
    ./hardware-configuration.nix
  ];

  boot.loader = {
    systemd-boot.enable = true;
    efi.canTouchEfiVariables = true;
  };

  beatific.hostName = "backyard";

  # Enable networking
  networking.networkmanager.enable = true;
  users.users.tvb.extraGroups = [ "networkmanager" ];

  networking.firewall = {
    enable = true;
    allowedTCPPorts = [
      80  # http
      443 # https
    ];
  };

  services.nebula.networks.beatific = {
    enable = true;

    ca = "/etc/nebula/beatific/beatific.crt";
    cert = "/etc/nebula/beatific/backyard.crt";
    key = "/etc/nebula/beatific/backyard.key";

    listen.port = 4242;

    # Connect to the lighthouse at empyrean
    # This should be a VPN address in the static host map
    lighthouses = [ "10.22.20.1" ];

    # Map the lighthouse address to its public address
    staticHostMap = { "10.22.20.1" = [ "vpn.alogoulogoi.com:4242" ]; };

    # Don't filter at the VPN level
    firewall.outbound = [ { port = "any"; proto = "any"; host = "any"; } ];
    firewall.inbound  = [ { port = "any"; proto = "any"; host = "any"; } ];

    settings = {
      # Enable UDP holepunching both ways, which allows nodes to establish more direct connections with each other
      punchy = { punch = true; response = true; };
    };
  };

  # This value governs how some stateful data, like databases, are handled
  # across different versions of NixOS. This should not be changed to a new
  # release unless the sysadmin has determined that no services would be
  # adversely affected by changing this.
  system.stateVersion = "23.05";

}