{ config, lib, pkgs, sources, modules, ... }:

{
  imports = [
   ../../common
    ./hardware.nix
    modules.encboot
    modules.network.nftables
    modules.nftnat
    sources.nix-hexchen.nixosModules.profiles.nopersist

    ../../services/nextcloud.nix
    ../../services/mattermost.nix
    ../../services/thelounge.nix
    ../../services/murmur.nix
    ../../services/hedgedoc-hacc.nix
    ../../services/hedgedoc-i4f.nix
    ../../services/mail.nix
    ../../services/gitea.nix
    ../../services/nginx-pages.nix
    ../../services/lantifa.nix
    ../../services/vaultwarden.nix
    ../../services/uffd.nix

    ./lxc.nix
  ];

  hexchen.bindmounts."/var/lib/acme" = "/persist/var/lib/acme";
  # fileSystems."/var/lib/acme" = {
  #   device = "/persist/var/lib/acme";
  #   fsType = "bind";
  # };

  hexchen.encboot = {
    enable = true;
    dataset = "-a";
    networkDrivers = [ "igb" ];
  };

  boot.loader.grub.enable = true;
  boot.loader.grub.version = 2;
  boot.loader.grub.devices = [ "/dev/nvme0n1" "/dev/nvme1n1" ];
  boot.supportedFilesystems = [ "zfs" ];

  networking.hostId = "b2867696";
  networking.useDHCP = true;
  networking.nftables.enable = true;
  hexchen.nftables.nat.enable = true;
  networking.nat.internalInterfaces = ["ve-+"];
  networking.nat.externalInterface = "enp35s0";

  networking.interfaces.enp35s0.ipv6.addresses = [{
    address = "2a01:4f9:3a:2ddb::1";
    prefixLength = 64;
  }];
  networking.defaultGateway6 = {
    address = "fe80::1";
    interface = "enp35s0";
  };
  boot = {
    kernelModules = [ "nf_nat_ftp" ];
    kernel.sysctl = {
      "net.ipv4.conf.all.forwarding" = lib.mkOverride 90 true;
      "net.ipv4.conf.default.forwarding" = lib.mkOverride 90 true;
    };
  };

  services.nginx = {
    enable = true;
    recommendedProxySettings = true;
    virtualHosts = {
      "parsons.hacc.space" = {
        default = true;
        locations."/".return = "404";
      };
      "hacc.space" = {
        enableACME = true;
        forceSSL = true;
        locations."/".return = "302 https://hacc.earth";
      };
    };
  };
  networking.firewall.allowedTCPPorts = [ 80 443 ];

  services.restic.backups.tardis = {
    passwordFile = "/persist/restic/system";
    environmentFile = "/persist/restic/system.s3creds";
    paths = [
      "/home"
      "/persist"
    ];
    pruneOpts = [
      "--keep-daily 7"
      "--keep-weekly 5"
      "--keep-monthly 3"
    ];
    repository = "b2:tardis-parsons:system";
  };

  system.stateVersion = "21.05";
}