# SPDX-FileCopyrightText: V <v@unfathomable.blue>
# SPDX-FileCopyrightText: edef <edef@unfathomable.blue>
# SPDX-License-Identifier: OSL-3.0

{ lib, pkgs, modulesPath, ... }:

with lib;

let
  host = fileContents /etc/hostname;
  # commit = commitIdFromGitRepo ./.git;
in {
  imports = [
    "${modulesPath}/profiles/qemu-guest.nix"
    (./hosts + "/${host}")
  ] ++ mapAttrsToList (module: _: ./modules + "/${module}") (builtins.readDir ./modules);

  nix.nixPath = [
    "nixpkgs=/nix/var/nix/profiles/per-user/root/channels/nixos"
    "nixos-config=/etc/nixos/fleet/configuration.nix"
    "/nix/var/nix/profiles/per-user/root/channels"
  ];

  nixpkgs.overlays = [ (import ./pkgs/overlay.nix) ];

  system.stateVersion = "20.09";


  ### Startup

  boot.loader.grub.device = "/dev/sda";

  boot.initrd = {
    availableKernelModules = [ "ata_piix" "virtio_pci" "xhci_pci" "sd_mod" "sr_mod" ];

    luks.devices.rpool = {
      device = "/dev/sda3";
      allowDiscards = true;
    };

    network.enable = true;

    network.ssh = {
      enable = true;
      port = 798;  # Random unassigned port in the range [1, 1024]
      hostKeys = [ "/etc/initrd/ssh_host_ed25519_key" ];
    };
  };


  ### Filesystems

  # Come on, why isn't this the default?
  boot.tmpOnTmpfs = true;

  # Required by ZFS, but redundant on a single-pathed system.
  networking.hostId = "00000000";

  fileSystems = {
    "/boot" = {
      device = "/dev/sda2";
      fsType = "ext2";
    };

    "/" = {
      device = "rpool/root";
      fsType = "zfs";

      # Extracted from the strace output of `zfs mount -a`
      # NOTE: the pool is configured with `zfs set setuid=off rpool`
      # TODO(V): come up with a less ugly solution
      options = [ "defaults" "atime" "strictatime" "dev" "exec" "rw" "nosuid" "nomand" "zfsutil" ];
    };
  };


  ### Networking

  networking.useNetworkd = true;

  networking.hostName = host;
  networking.domain = "unfathomable.blue";

  # Misnomer, actually enables DHCP for all unmanaged interfaces.
  # It's also incompatible with systemd-networkd.
  networking.useDHCP = false;

  networking.interfaces.ens3.useDHCP = true;

  # This is exceedingly spammy, and not so useful for an Internet-facing machine.
  networking.firewall.logRefusedConnections = false;


  ### Security + privacy

  security.sudo.enable = false;


  ### System services

  system.autoUpgrade.enable = true;

  services.openssh = {
    enable = true;
    passwordAuthentication = false;
    kbdInteractiveAuthentication = false;
    # TODO(V): Route exclusively over WireGuard, if you dare
  };


  ### Programs + user services

  programs.fish.enable = true;
  programs.mosh.enable = true;
  programs.mtr.enable = true;


  ### Environment

  time.timeZone = "UTC";

  i18n = {
    defaultLocale = "en_US.UTF-8";
    supportedLocales = [ "en_US.UTF-8/UTF-8" ];
    extraLocaleSettings.LC_COLLATE = "C";
  };

  # TODO(V): Switch to https://github.com/NixOS/nixpkgs/pull/101127 once it's been merged and made its way into stable.
  users.defaultUserShell = pkgs.fish;
  environment.variables.EDITOR = "kak";

  environment.systemPackages = with pkgs; [
    kakoune
    tree
    htop
    ldns
  ];


  ### Users

  users.mutableUsers = false;

  # This is here so we can `git push` directly to /etc/nixos.
  # It should be removed if we stop using that workflow.
  users.users.root.packages = [ pkgs.git ];
}