{ hostName, flake, config, pkgs, lib, ... }:
{
  imports = with flake.nixosModules.systemProfiles; [
    ./zfs.nix ./network ./samba.nix ./dns.nix ./prometheus ./borg
    initrd-all-crypto-modules default-locale openssh rebuild-machines
    build-server
    initrd-ssh
  ];

  config = {
    nixpkgs = {
      system = "x86_64-linux";
    };

    networking.hostId = "1e7ddd78";
    environment.etc."machine-id".text = "1e7ddd784c525bba2a03d7c160c5da4e";

    boot = {
      loader.grub = {
        enable = true;
        version = 2;
        device = "/dev/disk/by-id/ata-SuperMicro_SSD_SMC0515D95019BDF4083";
      };

      kernelModules = [ "kvm-intel" ];

      kernelParams = [
        "ip=10.141.0.1:::255.255.255.0::eno1:static"
      ];

      tmpOnTmpfs = true;

      initrd = {
        supportedFilesystems = [ "zfs" ];
        availableKernelModules = [ "ehci_pci" "ahci" "nvme" "isci" "xhci_pci" "usb_storage" "usbhid" "sd_mod" "sr_mod" "drbg" "rtsx_pci_sdmmc" "libsas" "scsi_transport_sas" "e1000e" ];
        kernelModules = [ "dm-raid" "dm-integrity" "dm-snapshot" "dm-thin-pool" ];

        luks.devices = {
          nvm0.device = "/dev/disk/by-label/${hostName}-nvm0";
          nvm1.device = "/dev/disk/by-label/${hostName}-nvm1";
          
          hdd0.device = "/dev/disk/by-label/${hostName}-hdd0";
          hdd1.device = "/dev/disk/by-label/${hostName}-hdd1";
          hdd2.device = "/dev/disk/by-label/${hostName}-hdd2";
          hdd3.device = "/dev/disk/by-label/${hostName}-hdd3";
          hdd4.device = "/dev/disk/by-label/${hostName}-hdd4";
          hdd5.device = "/dev/disk/by-label/${hostName}-hdd5";
        };

        network.flushBeforeStage2 = false;
      };
    };

    fileSystems = {
      "/" = {
        fsType = "tmpfs";
        options = [ "mode=0755" ];
      };
    };
    
    services.timesyncd.enable = false;
    services.chrony = {
      enable = true;
      servers = [];
      extraConfig = ''
        allow 10.141.1.0/24
        local

        pool time.cloudflare.com iburst nts
        pool nts.ntp.se iburst nts
        server nts.sth1.ntp.se iburst nts
        server nts.sth2.ntp.se iburst nts
        server ptbtime1.ptb.de iburst nts
        server ptbtime2.ptb.de iburst nts
        server ptbtime3.ptb.de iburst nts

        leapsectz right/UTC

        makestep 0.1 3

        cmdport 0
      '';
    };

    services.openssh = {
      enable = true;
      passwordAuthentication = false;
      kbdInteractiveAuthentication = false;
      extraConfig = ''
        AllowGroups ssh
      '';
    };
    users.groups."ssh" = {
      members = ["root"];
    };

    security.sudo.extraConfig = ''
      Defaults lecture = never
    '';

    nix = {
      daemonCPUSchedPolicy = "batch";
      daemonIOSchedClass = "idle";

      gc = {
        automatic = true;
        options = "--delete-older-than 30d";
      };
    };

    powerManagement = {
      enable = true;

      cpuFreqGovernor = "schedutil";
    };

    services.nginx = {
      enable = true;
      recommendedGzipSettings = true;
      recommendedProxySettings = true;
      recommendedTlsSettings = true;
      commonHttpConfig = ''
        ssl_ecdh_curve X25519:prime256v1:secp521r1:secp384r1;
      '';
      upstreams.grafana = {
        servers = { "unix:${config.services.grafana.socket}" = {}; };
      };
      virtualHosts = {
        ${config.services.grafana.domain} = {
          forceSSL = true;
          sslCertificate = ./selfsigned.crt;
          sslCertificateKey = "/run/credentials/nginx.service/selfsigned.key";
          locations."/" = {
            proxyPass = "http://grafana/";
            proxyWebsockets = true;
          };
        };
      };
    };
    users.users.nginx.extraGroups = ["grafana"];
    services.grafana = {
      enable = true;
      analytics.reporting.enable = false;
      domain = "grafana.vidhar.yggdrasil";
      security.adminPasswordFile = config.sops.secrets."grafana-admin-password".path;
      security.secretKeyFile = config.sops.secrets."grafana-secret-key".path;
      protocol = "socket";
    };
    sops.secrets."grafana-admin-password" = {
      format = "binary";
      sopsFile = ./grafana-admin-password;
      owner = "grafana";
    };
    sops.secrets."grafana-secret-key" = {
      format = "binary";
      sopsFile = ./grafana-secret-key;
      owner = "grafana";
    };
    sops.secrets."selfsigned.key" = {
      format = "binary";
      sopsFile = ./selfsigned.key;
    };
    systemd.services.nginx = {
      preStart = lib.mkForce config.services.nginx.preStart;
      serviceConfig = {
        ExecReload = lib.mkForce "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
        LoadCredential = [ "selfsigned.key:${config.sops.secrets."selfsigned.key".path}" ];
      };
    };

    services.loki = {
      enable = true;
      configuration = {
        auth_enabled = false;
        server = {
          http_listen_port = 9094;
          grpc_listen_port = 9095;
        };
        common = {
          path_prefix = config.services.loki.dataDir;
          storage.filesystem = {
            chunks_directory = "${config.services.loki.dataDir}/chunks";
            rules_directory = "${config.services.loki.dataDir}/rules";
          };
          replication_factor = 1;
          ring = {
            instance_addr = "127.0.0.1";
            kvstore = {
              store = "inmemory";
            };
          };
        };
        ruler = {
          enable_api = true;
          storage = {
            type = "local";
            local.directory = "${config.services.loki.dataDir}/rules";
          };
          rule_path = "${config.services.loki.dataDir}/rules-temp";
          remote_write = {
            enabled = true;
            client.url = "http://localhost:9090/api/v1/write";
          };
          ring.kvstore.store = "inmemory";
        };
        schema_config.configs = [
          { from = "2022-01-01";
            store = "boltdb-shipper";
            object_store = "filesystem";
            schema = "v11";
            index = {
              prefix = "index_";
              period = "24h";
            };
          }
        ];
      };
    };
    systemd.services.loki.preStart = let
      rulesYaml = lib.generators.toYAML {} {
        groups = [
          { name = "power-failures";
            rules = [
              { record = "apcupsd_power_failures:per_day";
                expr = "sum by (nodename) (rate({job=\"systemd-journal\"} | json | MESSAGE = \"Power failure.\"[1d])) * 86400";
              }
              { record = "apcupsd_power_failures:per_week";
                expr = "sum by (nodename) (rate({job=\"systemd-journal\"} | json | MESSAGE = \"Power failure.\"[1w])) * 604800";
              }
            ];
          }
        ];
      };
    in ''
      ${pkgs.coreutils}/bin/install -m 0755 -o ${config.services.loki.user} -g ${config.services.loki.group} -d ${config.services.loki.configuration.ruler.storage.local.directory}/fake
      ${pkgs.coreutils}/bin/ln -sf ${pkgs.writeText "rules.yml" rulesYaml} ${config.services.loki.configuration.ruler.storage.local.directory}/fake/rules.yml
    '';
    services.promtail = {
      enable = true;
      configuration = {
        server = {
          http_listen_port = 9080;
          grpc_listen_port = 0;
        };
        clients = [
          { url = "http://localhost:9094/loki/api/v1/push"; }
        ];
        scrape_configs = [
          { job_name = "journal";
            journal = {
              json = true;
              max_age = "12h";
              path = "/var/log/journal";
              labels = {
                job = "systemd-journal";
              };
            };
            relabel_configs = [
              { source_labels = ["__journal__systemd_unit"];
                target_label = "unit";
              }
              { source_labels = ["__journal__hostname"];
                target_label = "nodename";
              }
            ];
          }
        ];
      };
    };

    services.apcupsd = {
      enable = true;
      configText = ''
        UPSNAME ups01
        UPSCABLE usb
        UPSTYPE usb
        DEVICE
        NISIP 127.0.0.1
        BATTERYLEVEL 10
        MINUTES 5
        POLLTIME 1
        ONBATTERYDELAY 0
        NOLOGON disable
      '';
    };

    services.atftpd = {
      enable = true;
      extraOptions = [
        "--bind-address=10.141.1.1"
      ];
    };

    systemd.user.targets = {
      basic.wants = ["systemd-tmpfiles-setup.service"];
      timers.wants = ["systemd-tmpfiles-clean.timer"];
    };

    environment.systemPackages = with pkgs; [iotop vmtouch];
  };
}