# Edit this configuration file to define what should be installed on
# your system.  Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running ‘nixos-help’).

{ config, pkgs, ... }:
{
  nixpkgs.config.allowUnfree = true;

  imports =
    [ # Include the results of the hardware scan.
      # ./modules/clevis.nix
      ./utils/bento.nix
      
      ./utils/modules/sops.nix
      ./utils/modules/nur.nix
      ./modules/sway/sway.nix
      # ./modules/gnome.nix
      ./modules/printer.nix
      ./modules/nvim/default.nix
      ./utils/modules/autoupgrade.nix

      ./hardware-configuration.nix
    ];

  nixpkgs.overlays = [
    (import ./utils/overlays/packages.nix)
  ];

  nixpkgs.config.permittedInsecurePackages = [
    "openssl-1.1.1v"
    "electron-24.8.6"
  ];

  fonts.packages = with pkgs; [
    open-sans
  ];

  virtualisation.waydroid.enable = true;

  # security.sudo.wheelNeedsPassword = false;
  # services.clevis.uuid = "7435d48f-f942-485b-9817-328ad3fc0b93";

  # nixos cross building qemu
  boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
  boot.supportedFilesystems = [ "ntfs" ];
  boot.plymouth.enable = true;
  boot.plymouth.theme = "breeze";
  boot.kernelParams = ["quiet"];
  # boot.loader.systemd-boot.netbootxyz.enable = true;
  # boot.plymouth.themePackages = [ pkgs.nixos-bgrt-plymouth ];
  # boot.plymouth.theme = "nixos-bgrt";
  # allow hibernation
  security.protectKernelImage = false;

  sops.defaultSopsFile = ./secrets.yaml;
  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
  sops.age.generateKey = true;

  sops.secrets.epicenter_vpn_ca = {};
  sops.secrets.epicenter_vpn_cert = {};
  sops.secrets.epicenter_vpn_key = {};
  sops.secrets.wg_private_key = {};
  sops.secrets.wg_preshared_key = {};
  sops.secrets.wg-cloonar-key = {};

  virtualisation.docker.enable = true;
  # virtualisation.virtualbox.host = {
  #   enable = true;
  #   enableExtensionPack = true;
  # };

  networking.hostName = "cl-nb-01"; # Define your hostname.
  networking.resolvconf.enable = true;
  networking.networkmanager.enable = true;  # Easiest to use and most distros use this by default.
  networking.extraHosts = ''
    10.25.0.25 archive.zeichnemit.at
    # 10.25.0.25 epicenter.works en.epicenter.works
    127.0.0.1 wohnservice.local mieterhilfe.local wohnpartner.local wohnberatung.local wienbautvor.local wienwohntbesser.local
    127.0.0.1 wohnservice-wien.local mieterhilfe.local wohnpartner-wien.local wohnberatung-wien.local wienbautvor.local wienwohntbesser.local
    127.0.0.1 diabetes.local
    127.0.0.1 test.cloonar.com
  '';

  services.xserver = {
    enable = true;
    excludePackages = [ pkgs.xterm ];
    displayManager.gdm.enable = true;
    displayManager.gdm.wayland = true;
    # displayManager.sddm.enable = true;
    displayManager.sessionPackages = [ pkgs.sway ];
    displayManager.defaultSession = "sway";
    libinput.enable = true;
    desktopManager.gnome = {
      enable = true;
      extraGSettingsOverrides = ''
        [org.gnome.desktop.interface]
        gtk-theme='Dracula'
      '';
    };
  };

  # Set your time zone.
  time.timeZone = "Europe/Vienna";
  console.keyMap = "de";

  users.users.dominik = {
    isNormalUser = true;
    extraGroups = [ "wheel" "disk" "video" "audio" "mysql" "docker" "vboxusers" "networkmanager" "onepassword" "onepassword-cli" "dialout" ]; # Enable ‘sudo’ for the user.
  };

  environment.systemPackages = with pkgs; [
    bento
    vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.
    wget
    docker-compose
    drone-cli
    wireguard-tools
    wineWowPackages.stable
    wineWowPackages.fonts
    winetricks
    git-filter-repo
    ykfde
  ];

  environment.variables = {
    TERMINAL_COMMAND = "alacritty";
  };

  services.blueman.enable = true;

  # services.printing.enable = true;
  # services.printing.drivers = [ pkgs.brlaser ];

  services.mysql = {
    enable = true;
    package = pkgs.mariadb;
    ensureUsers = [
      {
        name = "dominik";
        ensurePermissions = {
          "*.*" = "ALL PRIVILEGES";
        };
      }
    ];
  };

  services.postgresql = {
    enable = true;
    ensureUsers = [
      {
        name = "dominik";
        ensurePermissions = {
          "DATABASE \"zammad\"" = "ALL PRIVILEGES";
        };
      }
    ];
    ensureDatabases = [ "zammad" ];
  };

  system.stateVersion = "22.11"; # Did you read the comment?

  security.polkit.enable = true;
  systemd = {
    user.services.polkit-gnome-authentication-agent-1 = {
      description = "polkit-gnome-authentication-agent-1";
      wantedBy = [ "graphical-session.target" ];
      wants = [ "graphical-session.target" ];
      after = [ "graphical-session.target" ];
      serviceConfig = {
          Type = "simple";
          ExecStart = "${pkgs.polkit_gnome}/libexec/polkit-gnome-authentication-agent-1";
          Restart = "on-failure";
          RestartSec = 1;
          TimeoutStopSec = 10;
        };
    };
  };


  networking.firewall = {
    allowedUDPPorts = [ 51820 ]; # Clients and peers can use the same port, see listenport
     # if packets are still dropped, they will show up in dmesg
     logReversePathDrops = true;
     # wireguard trips rpfilter up
     extraCommands = ''
       ip46tables -t mangle -I nixos-fw-rpfilter -p udp -m udp --sport 51820 -j RETURN
       ip46tables -t mangle -I nixos-fw-rpfilter -p udp -m udp --dport 51820 -j RETURN
     '';
     extraStopCommands = ''
       ip46tables -t mangle -D nixos-fw-rpfilter -p udp -m udp --sport 51820 -j RETURN || true
       ip46tables -t mangle -D nixos-fw-rpfilter -p udp -m udp --dport 51820 -j RETURN || true
     '';
  };
  # networking.wireguard.interfaces = {
  #   wg0 = {
  #     # Determines the IP address and subnet of the client's end of the tunnel interface.
  #     ips = [ "10.42.98.201/32" ];
  #     # Path to the private key file.
  #     #
  #     # Note: The private key can also be included inline via the privateKey option,
  #     # but this makes the private key world-readable; thus, using privateKeyFile is
  #     # recommended.
  #     privateKeyFile = config.sops.secrets.wg-cloonar-key.path;
  #
  #     peers = [
  #       {
  #         publicKey = "TKQVDmBnf9av46kQxLQSBDhAeaK8r1zh8zpU64zuc1Q=";
  #         allowedIPs = [ "10.42.97.0/20" "10.14.0.0/16" "10.25.0.0/16" ];
  #         endpoint = "vpn.cloonar.com:51820"; # ToDo: route to endpoint not automatically configured https://wiki.archlinux.org/index.php/WireGuard#Loop_routing https://discourse.nixos.org/t/solved-minimal-firewall-setup-for-wireguard-client/7577
  #         persistentKeepalive = 25;
  #       }
  #     ];
  #   };
  # };

  # Facial recognition "Windows hello"
  # services.ir-toggle.enable = true;
  # services.howdy = {
  #   enable = true;
  #   device = "/dev/video2";
  # };
  nix = {
    settings.auto-optimise-store = true;
    # autoOptimiseStore = true;
    gc = {
      automatic = true;
      dates = "weekly";
      options = "--delete-older-than 30d";
    };
    # Free up to 1GiB whenever there is less than 100MiB left.
    extraOptions = ''
      min-free = ${toString (100 * 1024 * 1024)}
      max-free = ${toString (1024 * 1024 * 1024)}
    '';
  };


}