{ pkgs, ... }:

{
  imports = [
    ./hardware-configuration.nix
    #./fileserver.nix
  ];

  boot = {
    loader = {
      # Use the extlinux boot loader. (NixOS wants to enable GRUB by default)
      grub.enable = false;
      # Enables the generation of /boot/extlinux/extlinux.conf
      generic-extlinux-compatible.enable = true;
    };
    supportedFilesystems = ["zfs"];
    zfs.enableUnstable = true;
  };

  system.stateVersion = "22.11"; # Read the usual warning

  swapDevices = [ { device = "/swap"; size = 1024; } ];

  console.keyMap = "us";
  i18n.defaultLocale = "en_US.UTF-8";

  environment.systemPackages = with pkgs;
  let
    py3-packages = python-packages: with python-packages; [
      flask
    ];
    py3-with-packages = python3.withPackages py3-packages;
  in [
    wget vim curl git htop bash tmux psmisc man-pages pv lsof
    zip unzip
    py3-with-packages
    usbutils
    hdparm sdparm smartmontools gptfdisk gnufdisk
    dosfstools
    mkpasswd samba
    tinc_pre
    #file-rename
    rsync
    rclone gnupg
  ];

  networking = {
    hostName = "catacomb";
    hostId = "beeeeee5";
    firewall = {
      enable = true;
      allowPing = true;
      allowedTCPPorts = [ 22 139 445 ];
      allowedUDPPorts = [ 137 138 ];
    };
  };

  services.cron = {
    enable = true;
    systemCronJobs =
      let
        reassertPerms = pkgs.writeShellScript "reassert-nas-permissions.sh" ''
          ${pkgs.coreutils}/bin/chown -v -R tvb:nas /nas
          ${pkgs.findutils}/bin/find /nas -type d -exec ${pkgs.coreutils}/bin/chmod -v 750 {} \;
          ${pkgs.findutils}/bin/find /nas -type f -exec ${pkgs.coreutils}/bin/chmod -v 640 {} \;
        '';
      in [
        "0 20 * * 1 root ${reassertPerms}"
        "0  0 * * 1 tvb  . /etc/profile; /home/tvb/gitea-backup"
      ];
  };

  services.openssh = {
    enable = true;
    passwordAuthentication = true;
  };

  services.ntp = {
    enable = true;
    servers = ["time.nist.gov"];
  };

  services.rsyncd.enable = true;

  /*services.samba =
    let
      sambaShare = path: validUsers: {
        path = path;
        comment = "Samba share for ${path}";
        browseable = "yes";
        "read only" = "no";
        "guest okay" = "no";
        "create mask" = "0640";
        "force create mode" = "0640";
        "directory mask" = "0750";
        "force directory mode" = "0750";
        "valid users" = validUsers;
        "force group" = ''nas'';
      };
      sambaShareRO = path: validUsers: {
        path = path;
        comment = "Read-only Samba share for ${path}";
        browseable = "yes";
        "read only" = "yes";
        "guest okay" = "no";
        "valid users" = validUsers;
        "force group" = ''nas'';
      };
    in
    {
      enable = true;
      securityType = "user";
      extraConfig = ''
        workgroup = beatific
        server string = Catacomb Nix SMB
        netbios name = catacomb
        deadtime = 300

        local master = yes
        domain master = yes
        preferred master = yes

        guest account = nobody
        map to guest = bad user

        case sensitive = yes
        veto files = /^.DS_Store$/^.Trash-1000$/

        load printers = no
        printcap name = /dev/null
        printing = bsd

        log file = /var/log/samba/client-%m.log
        log level = 2
        max log size = 64

        hide dot files = no
        hosts allow = 10.7.3.
        map archive = no
        unix extensions = yes

	ntlm auth = yes
      '';
      shares = {
        audioRO = sambaShareRO "/nas/audio" ''@nas'';
        docRO = sambaShareRO "/nas/doc/" ''@nas'';
        gameRO = sambaShareRO "/nas/game/" ''@nas'';
        imageRO = sambaShareRO "/nas/image" ''@nas'';
        videoRO = sambaShareRO "/nas/video" ''@nas'';
        #audio = sambaShare "/nas/audio" ''@nas'';
        #doc = sambaShare "/nas/doc/" ''@nas'';
        #game = sambaShare "/nas/game/" ''@nas'';
        #image = sambaShare "/nas/image" ''@nas'';
        #video = sambaShare "/nas/video" ''@nas'';
      };
    };*/

  services.nebula.networks.beatific = {
    enable = true;

    # Network certificate and host credentials
    ca = "/etc/nebula/beatific/beatific.crt";
    cert = "/etc/nebula/beatific/catacomb.crt";
    key = "/etc/nebula/beatific/catacomb.key";

    listen.port = 4242;

    # Connect to the lighthouse at empyrean
    # Note that this is a VPN address, not a public address
    lighthouses = [ "10.22.20.1" ];

    # Map the lighthouse address to its public address
    staticHostMap = { "10.22.20.1" = [ "vpn.alogoulogoi.com:4242" ]; };

    # Don't filter anything at the VPN level
    firewall.outbound = [ { port = "any"; proto = "any"; host = "any"; } ];
    firewall.inbound  = [ { port = "any"; proto = "any"; host = "any"; } ];

    settings = {
      # Enable UDP holepunching both ways, which allows nodes to establish more direct connections with each other
      punchy = { punch = true; response = true; };
    };
  };

  services.zfs = {
    autoScrub = {
      enable = true;
      pools = ["catapool"];
      interval = "monthly";
    };
  };

  users.groups = {
    nas = { gid = 1600; };
  };

  users.users.tvb = {
    isNormalUser = true;
    uid = 1001;
    password = "badpassword";
    extraGroups = ["wheel" "nas"];
    openssh.authorizedKeys.keyFiles = [
      ./keys/tvb.palamas.pub
      ./keys/tvb.stagirite.pub
      ./keys/tvb.vagrant.pub
      ./keys/monitor.isidore.pub
      ./keys/inquisitor.conduit.pub
    ];
  };
  #./keys/tvb.empyrean.pub

  nix.settings.cores = 4;
  nix.extraOptions = "experimental-features = nix-command flakes";
}