# Edit this configuration file to define what should be installed on
# your system.  Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running ‘nixos-help’).

{ config, pkgs, ... }:

{
  imports =
    [ # Include the results of the hardware scan.
      ./hardware-configuration.nix
      #./amanuensis.nix
      #./redstring.nix
      ./catacomb.nix
      ./gitea.nix
      ./inquisitor.nix
    ];

  # Use the GRUB 2 boot loader.
  boot.loader.grub = {
    enable = true;
    device = "/dev/xvda";
    extraConfig = "serial --unit=0 --speed=115200 ; terminal_input serial console ; terminal_output serial console";
  };
  boot.kernelParams = ["console=ttyS0"];

  nix = {
    package = pkgs.nixFlakes;
    settings.max-jobs = 2;
    extraOptions = ''
      experimental-features = nix-command flakes
    '';
  };

  swapDevices = [ { device = "/swap"; size = 1024; } ];

  networking.hostName = "empyrean";

  # The global useDHCP flag is deprecated, therefore explicitly set to false here.
  # Per-interface useDHCP will be mandatory in the future, so this generated config
  # replicates the default behaviour.
  networking.useDHCP = false;
  networking.interfaces.eth0.useDHCP = true;

  # Configure network proxy if necessary
  # networking.proxy.default = "http://user:password@proxy:port/";
  # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";

  # Select internationalisation properties.
  i18n.defaultLocale = "en_US.UTF-8";
  console = {
    font = "Lat2-Terminus16";
    keyMap = "us";
  };

  # Set your time zone.
  time.timeZone = "UTC";

  # List packages installed in system profile. To search, run:
  # $ nix search wget
  environment.systemPackages = with pkgs; [
    vim htop git tinc_pre python3
    gitea
  ];
  environment.variables.EDITOR = "vim";

  services.nginx = let
    static-site = srv-dir: {
      enableACME = true;
      forceSSL = true;
      root = "/srv/${srv-dir}/";
      extraConfig = ''
        access_log /var/log/nginx/access_${srv-dir}.log;
        index index.html;
      '';
    };
  in {
    enable = true;
    recommendedProxySettings = true;
    virtualHosts = {
      # Static pages
      "wedding.ktvb.site" = static-site "wedding.ktvb.site";
      "www.ktvb.site" = static-site "www.ktvb.site";
      "mirror.alogoulogoi.com" = static-site "mirror.alogoulogoi.com";
      "www.alogoulogoi.com" = static-site "www";
      newtab = {
        listen = [ { addr = "10.22.20.1"; port = 80; } ];
        root = "/srv/newtab/";
        extraConfig = ''
          access_log /var/log/nginx/access_newtab.log;
          index index.html;
        '';
      };
      # Deny all other subdomains
      "alogoulogoi.com" = {
        default = true;
        locations."/".return = "444";
      };
    };
  };
  security.acme = {
    defaults.email = "tim.vanbaak+alogoulogoi@gmail.com";
    acceptTerms = true;
  };

  services.ntp = {
    enable = true;
    servers = ["time.nist.gov"];
  };

  services.openssh = {
    enable = true;
    settings.PasswordAuthentication = false;
    settings.PermitRootLogin = "prohibit-password";
  };

  services.tinc.networks.beatific = {
    listenAddress = "0.0.0.0";
    chroot = false;
  };

  services.nebula.networks.beatific = {
    enable = true;

    # Network certificate and host credentials
    ca = "/etc/nebula/beatific/beatific.crt";
    cert = "/etc/nebula/beatific/empyrean.crt";
    key = "/etc/nebula/beatific/empyrean.key";

    # This host has a well-known IP at its VPS host, so it can function as a lighthouse/entry node
    isLighthouse = true;

    # Listen to connection requests from the public Internet
    listen.port = 4242;
    listen.host = "vpn.alogoulogoi.com";

    # Don't filter anything at the VPN level
    firewall.outbound = [ { port = "any"; proto = "any"; host = "any"; } ];
    firewall.inbound  = [ { port = "any"; proto = "any"; host = "any"; } ];

    settings = {
      # Enable UDP holepunching both ways, which allows nodes to establish more direct connections with each other
      punchy = { punch = true; response = true; };
    };
  };

  services.intake = {
    listen = { addr = "10.22.20.1"; port = 5234; };
    users.tvb.enable = true;
    users.tvb.extraPackages = [ pkgs.intakeSources ];
  };

  networking.firewall = {
    enable = true;
    allowPing = true;
    allowedTCPPorts = [
      22  # ssh
      80  # http
      443 # https
      655 # tinc
      5234# intake
    ];
    allowedUDPPorts = [
      655 # tinc
    ];
  };

  users.users.tvb = {
    isNormalUser = true;
    group = "tvb";
    extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
    openssh.authorizedKeys.keyFiles = [
      ../../keys/tvb.palamas.pub
      ../../keys/tvb.stagirite.pub
      ../../keys/tvb.catacomb.pub
    ];
  };
  users.groups.tvb = {};

  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions
  # on your system were taken. It‘s perfectly fine and recommended to leave
  # this value at the release version of the first install of this system.
  # Before changing this value read the documentation for this option
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
  system.stateVersion = "23.05"; # Did you read the comment?

}