{ config, pkgs, ... }:
# NixOS Homelab
# ===================
# The goal of this build is to get a basic good setup in NixOS that 
# does similiar things to something like Yunohost but in a 
# declarative fashion.
#
# Comments or suggestions to https://fedi.arkadi.one/@tootbrute

{
  imports =
    [ # Include the results of the hardware scan.
      ./hardware-configuration.nix
      ./services/jellyfin.nix
      ./services/calibre-web.nix
      ./services/glances.nix
      ./services/fail2ban.nix
      ./services/transmission.nix
    ];
  # Bootloader.
  boot.loader.systemd-boot.enable = true;

  # ZFS SSH Remote Unlock, ethernet only
  # https://wiki.nixos.org/wiki/ZFS
  boot = {
    initrd.network = {
      enable = true;
      ssh = {
        enable = true;
        port = 2222; 
        hostKeys = [ /boot/host_ecdsa_key ];
        authorizedKeys = [
          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGfnE4JwpIyghoFYurZLjFkzc5G4l1FeS76yYITg9wUB elias@tux" #little hp - tux
          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH0Q/NC0RHEUjx2WHrZPw0xnCjOCFv5uz53099lknZmG elias@fedora" #desktop
          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL3Ihu9CsCL17FuHl6EqyMDT5BPjh8GlLTWHM+Y1D1I7 elias@bluenix" #bluenix
          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILv96m1nCz3D0lzjzeGa+n4m3krEyl7KZ0tstjIZdTkq elias@bluefin" #acer
          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK8zlxSVOTCnAgb4U5vkC3ietH3Jd9gLE+FA6UOZp64J elias@arkadi.one" #arkadi
          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMVWt9UsavFfdwQzklW/zSlwGwQXaDvFk+MdzsCp0gnp tootbrute@tutanota.com" #greynix
        ];
      # to login: ssh -p 2222 root@192.168.15.180 "zfs load-key -a && killall zfs"
    };
  };
};

#above can i simplify this list of authorizedKeys?
# example: https://discourse.nixos.org/t/unlock-encrypted-zfs-via-ssh-on-boot/40582
# authorizedKeys = with lib; concatLists (mapAttrsToList (name: user: if elem "wheel" user.extraGroups then user.openssh.authorizedKeys.keys else []) config.users.users);

  # ZFS
  services.zfs.autoScrub.enable = true;


  # Nix settings
  nix = {
    settings = {
      #experimental-features = [ "nix-command" "flakes" ];
      download-buffer-size = "2G";
      warn-dirty = false;
    };
    # garbage collection
    gc = {
      automatic = true;
    };
    optimise = {
      automatic = true;
    };
  };

  # Networking
  networking.hostName = "knossos"; # Define your hostname.
  networking.wireless.enable = true;  # Enables wireless support via wpa_supplicant.
  networking.hostId = "0631374f"; # for ZFS

  # Enable networking
  #networking.networkmanager.enable = true;

  # Set your time zone.
  time.timeZone = "Asia/Taipei";

  # Select internationalisation properties.
  i18n.defaultLocale = "en_US.UTF-8";

  i18n.extraLocaleSettings = {
    LC_ADDRESS = "zh_TW.UTF-8";
    LC_IDENTIFICATION = "zh_TW.UTF-8";
    LC_MEASUREMENT = "zh_TW.UTF-8";
    LC_MONETARY = "zh_TW.UTF-8";
    LC_NAME = "zh_TW.UTF-8";
    LC_NUMERIC = "zh_TW.UTF-8";
    LC_PAPER = "zh_TW.UTF-8";
    LC_TELEPHONE = "zh_TW.UTF-8";
    LC_TIME = "zh_TW.UTF-8";
  };

nix.settings.experimental-features = [ "nix-command" "flakes" ];

#fix later
  # Configure keymap in X11
#  services.xserver = {
 #   xkb.layout = "us";
  #  xkb.Variant = "";
 # };

  # Define a user account. Don't forget to set a password with ‘passwd’.
  users.users.elias = {
    isNormalUser = true;
    description = "Tootbrute";
    extraGroups = [ "networkmanager" "wheel" "docker"];
    openssh.authorizedKeys.keys = [
      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDCbK2VQVSzh/e6qrq66iQnrXGET2JeQsyP+lKhUntlMqTiqMjUAT2cmjIOpspde/VsR60E88FjHpmy1dxrWtvldcLvUXmfjB2Id8zkj28gqPlLlMGyzQQ8M1hokVySFR3sBQESNsow67zg4zgdZESsNplSoxzrGg10Yowo3U6pLv6o/OjrfHeZaeFphEpgjQ+jdNkMS6sAPUKkzCg4zh+24M5cYNSvbXEv1OmSOUq4kZGL96xDt+Ke0rZnew/NBW7m5umh49q4Q0SPwbTf02UFMjAEPBKWREWvjBbreEN9AHytcaWk340bdX5UAsO1W8oA0qj1hrHrsEIw8n9WxoVzTDJrLW1zDFWWQ1L6xKoaawtcpDqg2lmcjaMIwEFvj7HSgn7/Y/UfTV5Gyhed968VqNlC4v4vEXQ5a44T5PFQLmo80PZ6xka4Rsa46n1vIFSdVu3JDr81s3U5pO3QxJMykUzY9Cs7jtQ/AeV9n4Bu6fm1gJzi2G/72SxJJ8OV4BU= elias@socrates" #acer at school
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGfnE4JwpIyghoFYurZLjFkzc5G4l1FeS76yYITg9wUB elias@tux" #little hp - tux
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH0Q/NC0RHEUjx2WHrZPw0xnCjOCFv5uz53099lknZmG elias@fedora" #desktop
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL3Ihu9CsCL17FuHl6EqyMDT5BPjh8GlLTWHM+Y1D1I7 elias@bluenix" #bluenix
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILv96m1nCz3D0lzjzeGa+n4m3krEyl7KZ0tstjIZdTkq elias@bluefin" #acer
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK8zlxSVOTCnAgb4U5vkC3ietH3Jd9gLE+FA6UOZp64J elias@arkadi.one"
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMVWt9UsavFfdwQzklW/zSlwGwQXaDvFk+MdzsCp0gnp tootbrute@tutanota.com" #greynix
    ];
    linger = true;
    packages = with pkgs; [];
  };

 # SSH Login Message
 users.motd = "
  
  ||                                               
  ||                                               
  || //` `||''|,  .|''|, ('''' ('''' .|''|, ('''' 
  ||<<    ||  ||  ||  ||  `'')  `'') ||  ||  `'') 
 .|| \\.  .||  ||. `|..|' `...' `...' `|..|' `...'
  
";

  # Disable sudo password for the wheel group
  security.sudo.wheelNeedsPassword = false;

  # Enable automatic login for the user.
  #services.getty.autologinUser = "elias";

  # Allow unfree packages
  nixpkgs.config.allowUnfree = true;

  # List packages installed in system profile. To search, run:
  # $ nix search wget
  environment.systemPackages = with pkgs; [
    wget
    fastfetch
    htop
    btop
    hollywood
    curl
    wget
    restic
    git
    neovim

    tmux #like screen
    wiper #like ncdu
    systemctl-tui #systemd tui
    diskonaut #see how much space is used
   
    tcpdump #for wireguard test

  ];

  # List services that you want to enable:

  # Enable the OpenSSH daemon.
  services.openssh.enable = true;

  # Tailscale
  services.tailscale = {
    enable = true;
    #permitCertUid = "caddy";
  };

  # Cron
  services.cron.enable = true;
  services.cron.systemCronJobs = [
    "00 * * * * root curl https://hc-ping.com/0bbb3afb-196a-4d12-894f-599099029cfc"
  ];

  # Docker
  # maybe I don't need? haven't used Docker yet. Disabled for now

  virtualisation = {
    docker = {
      enable = true;
      autoPrune = {
        enable = true;
        dates = "weekly";
      };
#      rootless = {
#        enable =  true;
#        setSocketVariable = true;
#      };
    };
  };

  # Open ports in the firewall.
  # networking.firewall.allowedTCPPorts = [ ... ];
  # networking.firewall.allowedUDPPorts = [ ... ];
  # Or disable the firewall altogether.
  # networking.firewall.enable = false;

  networking.firewall = {
    # enable the firewall
    enable = true;

    # allow all ports from your Tailscale network
    trustedInterfaces = [ "tailscale0" ];
    #or allow you to SSH in over the public internet
    allowedTCPPorts = [ 22 80 443 ];

    # allow the Tailscale UDP port through the firewall
    allowedUDPPorts = [ config.services.tailscale.port ];

  };

  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions
  # on your system were taken. It‘s perfectly fine and recommended to leave
  # this value at the release version of the first install of this system.
  # Before changing this value read the documentation for this option
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
  system.stateVersion = "24.11"; # Did you read the comment?

}