{ config, pkgs, lib, ... }:

with lib;
let
  ipv4 = {
    address = "138.248.67.57";
    gateway = "138.248.67.1";
    netmask = "255.255.255.0";
    prefixLength = 24; # https://www.pawprint.net/designresources/netmask-converter.php
  };
  ipv6 = {
    address = "2001:ce8:77:f::2e27:0";
    gateway = "2001:ce8:77:f::1";
    prefixLength = 112;
  };
  networkInterface = "ens3";
  hostName = "v-coord1";
  hostId = "8b0a9354";
  hostAddr = "v-coord1.sefidel.net";

  sefidelKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILN14b5Fu+StHeMXq4ClyLG4G+/vCAfS7adxceEFria/ openpgp:0x1D5BCD11" ];
  maintainerKeys = [ ] ++ sefidelKeys;
in
{
  deployment = {
    targetHost = hostAddr;
    targetPort = 22;
    targetUser = "root";
  };

  imports = [ ./hardware-configuration.nix ];

  networking.hostId = hostId;

  boot.loader.grub.enable = true;
  boot.loader.grub.device = "/dev/vda";

  boot.kernelParams = [
    # See <https:#www.kernel.org/doc/Documentation/filesystems/nfs/nfsroot.txt> for documentation.
    # ip=<client-ip>:<server-ip>:<gw-ip>:<netmask>:<hostname>:<device>:<autoconf>:<dns0-ip>:<dns1-ip>:<ntp0-ip>
    # The server ip refers to the NFS server -- not needed in this case.
    "ip=${ipv4.address}::${ipv4.gateway}:${ipv4.netmask}:${hostName}-initrd:${networkInterface}:off:8.8.8.8"
  ];

  boot.tmp.cleanOnBoot = true;
  zramSwap.enable = true;

  networking.hostName = hostName;

  networking.useDHCP = false;
  networking.interfaces.${networkInterface} = {
    ipv4 = { addresses = [{ address = ipv4.address; prefixLength = ipv4.prefixLength; }]; };
    ipv6 = { addresses = [{ address = ipv6.address; prefixLength = ipv6.prefixLength; }]; };
  };
  networking.defaultGateway = ipv4.gateway;
  networking.defaultGateway6 = { address = ipv6.gateway; interface = networkInterface; };
  networking.nameservers = [ "8.8.8.8" ];

  networking.firewall.enable = true;

  time.timeZone = "UTC";

  sops.secrets.root-password.neededForUsers = true;
  # User = networkId;
  # nameToId = netName: "nebula-${netName}";
  sops.secrets.nebula-sefidel-internal-ca = { owner = "nebula-sefidel-internal"; };
  sops.secrets.nebula-sefidel-internal-cert = { owner = "nebula-sefidel-internal"; };
  sops.secrets.nebula-sefidel-internal-key = { owner = "nebula-sefidel-internal"; };

  users.users.root.hashedPasswordFile = config.sops.secrets.root-password.path;
  users.users.root.openssh.authorizedKeys.keys = maintainerKeys;

  services.openssh.enable = true;
  services.openssh.settings.PermitRootLogin = "prohibit-password";

  nix.flakes.enable = true;

  modules = {
    security.enable = true;
    persistence.enable = false;
    binary-cache.enable = true;

    sops.enable = true;

    services.tailscale.enable = true;
    services.nebula = {
      enable = true;

      networks.sefidel-internal = {
        ca = config.sops.secrets.nebula-sefidel-internal-ca.path;
        cert = config.sops.secrets.nebula-sefidel-internal-cert.path;
        key = config.sops.secrets.nebula-sefidel-internal-key.path;

        isLighthouse = true;
        isRelay = true;

        settings = {
          lighthouse = {
            serve_dns = true;
            dns = {
              host = "100.64.0.1";
              port = 53;
            };
          };
        };
      };
    };
  };

  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions
  # on your system were taken. It‘s perfectly fine and recommended to leave
  # this value at the release version of the first install of this system.
  # Before changing this value read the documentation for this option
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
  system.stateVersion = "24.05"; # Did you read the comment?
}