{ config, lib, pkgs, ... }:

let
  projectsDir = "projects";  # Relative to /home/dominik

  repositories = [
    { url = "gitea@git.cloonar.com:Cloonar/wohnservice-wien-typo3.git"; path = "cloonar/wohnservice-wien"; }
    # Add repos here: { url = "git@..."; path = "relative/path"; }
  ];

  cloneScript = pkgs.writeShellScript "clone-repos" ''
    set -eu
    export PATH="${pkgs.openssh}/bin:$PATH"
    export GIT_SSH_COMMAND="${pkgs.openssh}/bin/ssh"
    HOME_DIR="/home/dominik"
    PROJECTS_DIR="$HOME_DIR/${projectsDir}"

    mkdir -p "$PROJECTS_DIR"
    chown dominik:users "$PROJECTS_DIR"

    ${lib.concatMapStrings (repo: ''
      if [ ! -d "$PROJECTS_DIR/${repo.path}" ]; then
        ${pkgs.sudo}/bin/sudo -u dominik -E ${pkgs.git}/bin/git clone ${repo.url} "$PROJECTS_DIR/${repo.path}" || true
      fi
    '') repositories}
  '';
in
{
  imports = [
    ./modules/dev-tools.nix
  ];

  networking.hostName = "dev";
  networking.firewall = {
    enable = true;
    allowedTCPPorts = [ 22 80 443 ];
  };
  system.stateVersion = "22.05";
  time.timeZone = "Europe/Vienna";

  # User configuration
  users.users.dominik = {
    isNormalUser = true;
    uid = 1000;
    home = "/home/dominik";
    extraGroups = [ "wheel" "docker" ];
    openssh.authorizedKeys.keys = [
      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDN/2SAFm50kraB1fepAizox/QRXxB7WbqVbH+5OPalDT47VIJGNKOKhixQoqhABHxEoLxdf/C83wxlCVlPV9poLfDgVkA3Lyt5r3tSFQ6QjjOJAgchWamMsxxyGBedhKvhiEzcr/Lxytnoz3kjDG8fqQJwEpdqMmJoMUfyL2Rqp16u+FQ7d5aJtwO8EUqovhMaNO7rggjPpV/uMOg+tBxxmscliN7DLuP4EMTA/FwXVzcFNbOx3K9BdpMRAaSJt4SWcJO2cS2KHA5n/H+PQI7nz5KN3Yr/upJN5fROhi/SHvK39QOx12Pv7FCuWlc+oR68vLaoCKYhnkl3DnCfc7A7"
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIRQuPqH5fdX3KEw7DXzWEdO3AlUn1oSmtJtHB71ICoH Generated By Termius"
    ];
  };
  users.groups.users = {};

  services.openssh.enable = true;
  programs.zsh.enable = true;
  users.defaultUserShell = pkgs.zsh;

  # Welcome message with Claude Code reminder
  users.motd = ''
    Welcome to dev

    Claude Code: claude or cr (resume last session)
  '';

  # Short alias for resuming Claude sessions
  programs.zsh.shellAliases = {
    cr = "claude --resume";
  };

  # Passwordless sudo for dominik
  security.sudo.extraRules = [{
    users = [ "dominik" ];
    commands = [{
      command = "ALL";
      options = [ "NOPASSWD" ];
    }];
  }];

  # Clone repos as dominik user on boot
  systemd.services.clone-repos = {
    description = "Clone configured git repositories";
    after = [ "network-online.target" ];
    wants = [ "network-online.target" ];
    wantedBy = [ "multi-user.target" ];
    serviceConfig = {
      Type = "oneshot";
      ExecStart = cloneScript;
      RemainAfterExit = true;
    };
  };

  # Create ddev global config to bind on all interfaces (allows access from other devices)
  systemd.services.ddev-config = {
    description = "Create ddev global config";
    after = [ "local-fs.target" ];
    wantedBy = [ "multi-user.target" ];
    serviceConfig = {
      Type = "oneshot";
      RemainAfterExit = true;
      User = "dominik";
      Group = "users";
    };
    script = ''
      mkdir -p /home/dominik/.ddev
      if [ ! -f /home/dominik/.ddev/global_config.yaml ]; then
        cat > /home/dominik/.ddev/global_config.yaml << 'EOF'
router_bind_all_interfaces: true
EOF
      fi
    '';
  };
}