{ flake, pkgs, lib, ... }:

with lib;

{
  imports = with flake.nixosModules.systemProfiles; [
    tmpfs-root qemu-guest openssh rebuild-machines zfs
    ./zfs.nix ./dns ./tls ./http ./bifrost ./matrix ./postgresql
    ./prometheus ./email ./vpn ./borg.nix ./etebase
  ];

  config = {
    nixpkgs = {
      system = "x86_64-linux";
    };

    networking.hostId = "a64cf4d7";
    environment.etc."machine-id".text = "a64cf4d793ab0a0ed3892ead609fc0bc";

    boot = {
      loader.grub = {
        enable = true;
        configurationLimit = 7;
        version = 2;
        device = "/dev/vda";
      };


      tmpOnTmpfs = true;

      zfs.devNodes = "/dev"; # /dev/vda2 does not show up in /dev/disk/by-id

      kernelModules = ["ptp_kvm"];
    };

    fileSystems = {
      "/boot" =
        { device = "/dev/disk/by-label/boot";
          fsType = "vfat";
        };
    };

    networking = {
      hostName = "surtr";
      domain = "yggdrasil";
      search = [ "yggdrasil" ];

      enableIPv6 = true;
      dhcpcd.enable = false;
      useDHCP = false;
      useNetworkd = true;
      defaultGateway = { address = "202.61.240.1"; };
      defaultGateway6 = { address = "fe80::1"; };
      interfaces."ens3" = {
        ipv4.addresses = [
          { address = "202.61.241.61"; prefixLength = 22; }
        ];
        ipv6.addresses = [
          # { address = "2a03:4000:52:ada:98e7:16ff:feba:7a2e"; prefixLength = 128; }
          { address = "2a03:4000:52:ada::"; prefixLength = 96; }
        ];
      };

      firewall.enable = false;
      nftables = {
        enable = true;
        rulesetFile = ./ruleset.nft;
      };
    };

    systemd.network = {
      networks = {
        "40-ens3".networkConfig = {
          Domains = mkForce "~.";
          DNS = [ "127.0.0.1:5353" "[::1]:5353" ];
          # DNSSEC = true;
          # DNS = [ "46.38.225.230" "46.38.252.230" "2a03:4000:0:1::e1e6" "2a03:4000:8000::fce6" ];
        };
      };
    };

    services.resolved = {
      llmnr = "false";
      dnssec = "false"; # unbound does dnssec validation for us
    };

    services.ndppd = {
      enable = true;
      proxies = {
        ens3 = {
          router = false;
          rules = {
            "2a03:4000:20:259::/64" = {
              method = "static";
            };
            "2a03:4000:52:ada::/64" = {
              method = "static";
            };
          };
        };
      };
    };
    boot.kernel.sysctl = {
      "net.ipv6.conf.all.forwarding" = true;
      "net.ipv6.conf.default.forwarding" = true;
      "net.ipv4.conf.all.forwarding" = true;
      "net.ipv4.conf.default.forwarding" = true;
    };

    services.timesyncd.enable = false;
    services.chrony = {
      enable = true;
      servers = [];
      extraConfig = ''
        pool time.cloudflare.com iburst nts
        pool nts.ntp.se iburst nts
        server nts.sth1.ntp.se iburst nts
        server nts.sth2.ntp.se iburst nts
        server ptbtime1.ptb.de iburst nts
        server ptbtime2.ptb.de iburst nts
        server ptbtime3.ptb.de iburst nts

        refclock PHC /dev/ptp_kvm poll 2 dpoll -2 offset 0 stratum 3

        leapsectz right/UTC

        makestep 0.1 3

        cmdport 0
      '';
    };
    systemd.services.chronyd.serviceConfig = {
      PrivateDevices = mkForce false;
    };

    services.openssh = {
      enable = true;
      passwordAuthentication = false;
      kbdInteractiveAuthentication = false;
      extraConfig = ''
        AllowGroups ssh
      '';
    };
    users.groups."ssh" = {
      members = ["root"];
    };

    nix.gc = {
      automatic = true;
      options = "--delete-older-than 30d";
    };

    security.dhparams = {
      enable = true;
      defaultBitSize = 4096;
      params = {
        nginx = {};
        coturn = {};
      };
      stateful = true;
    };

    system.stateVersion = "20.09";
  };
}