{ flake, pkgs, lib, ... }:

with lib;

{
  imports = with flake.nixosModules.systemProfiles; [
    tmpfs-root qemu-guest openssh rebuild-machines zfs
    ./zfs.nix ./dns ./tls ./http ./bifrost ./matrix ./postgresql
    ./prometheus ./email ./vpn ./borg.nix ./etebase
  ];

  config = {
    nixpkgs = {
      system = "x86_64-linux";
    };

    networking.hostId = "a64cf4d7";
    environment.etc."machine-id".text = "a64cf4d793ab0a0ed3892ead609fc0bc";

    boot = {
      loader.grub = {
        enable = true;
        configurationLimit = 7;
        device = "/dev/vda";
      };


      tmp.useTmpfs = true;

      zfs.devNodes = "/dev"; # /dev/vda2 does not show up in /dev/disk/by-id

      kernelModules = ["ptp_kvm"];
    };

    fileSystems = {
      "/boot" =
        { device = "/dev/disk/by-label/boot";
          fsType = "vfat";
        };
    };

    networking = {
      hostName = "surtr";
      domain = "yggdrasil";
      search = [ "yggdrasil" ];

      enableIPv6 = true;
      dhcpcd.enable = false;
      useDHCP = false;
      useNetworkd = true;
      defaultGateway = { address = "202.61.240.1"; };
      defaultGateway6 = { address = "fe80::1"; };
      interfaces."ens3" = {
        ipv4.addresses = [
          { address = "202.61.241.61"; prefixLength = 22; }
        ];
        ipv6.addresses = [
          # { address = "2a03:4000:52:ada:98e7:16ff:feba:7a2e"; prefixLength = 128; }
          { address = "2a03:4000:52:ada::"; prefixLength = 96; }
        ];
      };

      firewall.enable = false;
      nftables = {
        enable = true;
        rulesetFile = ./ruleset.nft;
      };
    };

    systemd.network = {
      networks = {
        "40-ens3".networkConfig = {
          Domains = mkForce "~.";
          DNS = [ "127.0.0.1:5353" "[::1]:5353" ];
          # DNSSEC = true;
          # DNS = [ "46.38.225.230" "46.38.252.230" "2a03:4000:0:1::e1e6" "2a03:4000:8000::fce6" ];
        };
      };
    };

    services.resolved = {
      llmnr = "false";
      dnssec = "false"; # unbound does dnssec validation for us
    };

    services.ndppd = {
      enable = true;
      proxies = {
        ens3 = {
          router = false;
          rules = {
            "2a03:4000:20:259::/64" = {
              method = "static";
            };
            "2a03:4000:52:ada::/64" = {
              method = "static";
            };
          };
        };
      };
    };
    boot.kernel.sysctl = {
      "net.ipv6.conf.all.forwarding" = true;
      "net.ipv6.conf.default.forwarding" = true;
      "net.ipv4.conf.all.forwarding" = true;
      "net.ipv4.conf.default.forwarding" = true;
    };

    services.timesyncd.enable = false;
    services.chrony = {
      enable = true;
      enableNTS = true;
      servers = [];
      extraConfig = ''
        pool time.cloudflare.com iburst nts
        pool nts.netnod.se prefer iburst nts
        server ptbtime1.ptb.de prefer iburst nts
        server ptbtime2.ptb.de prefer iburst nts
        server ptbtime3.ptb.de prefer iburst nts
        server ptbtime4.ptb.de prefer iburst nts

        authselectmode require
        minsources 3

        refclock PHC /dev/ptp_kvm poll 2 dpoll -2 offset 0 stratum 3

        leapsectz right/UTC

        makestep 0.1 3

        cmdport 0
      '';
    };
    systemd.services.chronyd.serviceConfig = {
      PrivateDevices = mkForce false;
    };

    services.openssh = {
      enable = true;
      extraConfig = ''
        AllowGroups ssh
      '';
    };
    users.groups."ssh" = {
      members = ["root"];
    };

    nix.gc = {
      automatic = true;
      options = "--delete-older-than 30d";
    };

    security.dhparams = {
      enable = true;
      defaultBitSize = 4096;
      params = {
        nginx = {};
        coturn = {};
      };
      stateful = true;
    };

    zramSwap = {
      enable = true;
      algorithm = "zstd";
    };

    systemd.sysusers.enable = false;
    system.etc.overlay.mutable = true;
    boot.enableContainers = true;
    system.stateVersion = "20.09";
  };
}