{ config, lib, pkgs, sources, modules, ... }:

{
  imports = [
    ../common
    ./hardware.nix
    modules.encboot
    modules.nopersist
    ./nftables.nix
    ./nextcloud.nix
    ./mattermost.nix
    ./murmur.nix
    ./hedgedoc-hacc.nix
    ./hedgedoc-i4f.nix
    ./mail.nix
    ./forgejo.nix
    ./nginx-pages.nix
    ./vaultwarden.nix
    ./tracktrain.nix
    ./uffd.nix
    ./lxc.nix
    ./monit.nix
  ];

  hacc.bindToPersist = [ "/var/lib/acme" ];

  hacc.encboot = {
    enable = true;
    dataset = "-a";
    networkDrivers = [ "igb" ];
  };

  sops.defaultSopsFile = ../secrets.yaml;
  sops.age.sshKeyPaths = [ "/persist/ssh/ssh_host_ed25519_key" ];

  boot.loader.grub.enable = true;
  boot.loader.grub.devices = [ "/dev/nvme0n1" "/dev/nvme1n1" ];
  boot.supportedFilesystems = [ "zfs" ];

  networking.hostId = "b2867696";
  networking.useDHCP = true;
  networking.nftables.enable = true;

  networking.hostName = "parsons";

  networking.interfaces.enp35s0.ipv6.addresses = [{
    address = "2a01:4f9:3a:2ddb::1";
    prefixLength = 64;
  }];
  networking.defaultGateway6 = {
    address = "fe80::1";
    interface = "enp35s0";
  };

  services.nginx = {
    enable = true;
    recommendedProxySettings = true;
    virtualHosts = {
      "parsons.hacc.space" = {
        default = true;
        locations."/".return = "404";
      };
      "hacc.space" = {
        enableACME = true;
        forceSSL = true;
        locations."/".return = "302 https://hacc.earth";
      };
    };
  };
  networking.firewall.allowedTCPPorts = [ 80 443 ];

  services.restic.backups.tardis = {
    passwordFile = "/run/secrets/restic/system";
    environmentFile = "/run/secrets/restic/s3creds.env";
    paths = [
      "/home"
      "/persist"
    ];
    pruneOpts = [
      "--keep-daily 7"
      "--keep-weekly 5"
      "--keep-monthly 3"
    ];
    repository = "b2:tardis-parsons:system";
  };

  sops.secrets = {
    "restic/system" = {};
    "restic/s3creds.env" = {};
  };

  system.stateVersion = "21.05";
}