{ hostName, flake, config, pkgs, lib, ... }:

with lib;

{
  imports = with flake.nixosModules.systemProfiles; [
    ./zfs.nix ./network ./samba.nix ./dns ./prometheus ./borg ./pgbackrest
    tmpfs-root zfs
    initrd-all-crypto-modules default-locale openssh rebuild-machines
    build-server
    initrd-ssh
  ];

  config = {
    nixpkgs = {
      system = "x86_64-linux";
    };

    networking.hostId = "1e7ddd78";
    environment.etc."machine-id".text = "1e7ddd784c525bba2a03d7c160c5da4e";

    boot = {
      loader.grub = {
        enable = true;
        configurationLimit = 420;
        version = 2;
        device = "/dev/disk/by-id/ata-SuperMicro_SSD_SMC0515D95019BDF4083";
      };

      kernelModules = [ "kvm-intel" ];

      kernelParams = [
        "ip=10.141.0.1:::255.255.255.0::eno1:static"
      ];

      tmpOnTmpfs = true;

      initrd = {
        supportedFilesystems = [ "zfs" ];
        availableKernelModules = [ "ehci_pci" "ahci" "nvme" "isci" "xhci_pci" "usb_storage" "usbhid" "sd_mod" "sr_mod" "drbg" "rtsx_pci_sdmmc" "libsas" "scsi_transport_sas" "e1000e" ];
        kernelModules = [ "dm-raid" "dm-integrity" "dm-snapshot" "dm-thin-pool" ];

        luks.devices = {
          nvm0 = { device = "/dev/disk/by-label/${hostName}-nvm0"; bypassWorkqueues = true; };
          nvm1 = { device = "/dev/disk/by-label/${hostName}-nvm1"; bypassWorkqueues = true; };

          hdd0.device = "/dev/disk/by-label/${hostName}-hdd0";
          hdd1.device = "/dev/disk/by-label/${hostName}-hdd1";
          hdd2.device = "/dev/disk/by-label/${hostName}-hdd2";
          hdd3.device = "/dev/disk/by-label/${hostName}-hdd3";
          hdd4.device = "/dev/disk/by-label/${hostName}-hdd4";
          hdd5.device = "/dev/disk/by-label/${hostName}-hdd5";
        };

        network.flushBeforeStage2 = false;
      };
    };

    services.timesyncd.enable = false;
    services.chrony = {
      enable = true;
      enableNTS = true;
      servers = [];
      extraConfig = ''
        allow 10.141.1.0/24
        local

        pool time.cloudflare.com iburst nts
        pool nts.netnod.se prefer iburst nts
        server ptbtime1.ptb.de prefer iburst nts
        server ptbtime2.ptb.de prefer iburst nts
        server ptbtime3.ptb.de prefer iburst nts
        server ptbtime4.ptb.de prefer iburst nts

        authselectmode require
        minsources 3

        nocerttimecheck 1

        leapsectz right/UTC

        makestep 0.1 3

        cmdport 0
      '';
    };

    services.openssh = {
      enable = true;
      extraConfig = ''
        AllowGroups ssh
      '';
    };
    users.groups."ssh" = {
      members = ["root"];
    };

    nix = {
      daemonCPUSchedPolicy = "batch";
      daemonIOSchedClass = "idle";

      gc = {
        automatic = true;
        options = "--delete-older-than 30d";
      };
    };
    systemd.services."nix-daemon" = {
      environment = {
        TMPDIR = "/nix/tmp";
      };
      serviceConfig = {
        CPUQuota = "2000%";
      };
    };

    powerManagement = {
      enable = true;

      cpuFreqGovernor = "schedutil";
    };

    services.nginx = {
      enable = true;
      recommendedGzipSettings = true;
      recommendedProxySettings = true;
      recommendedTlsSettings = true;
      commonHttpConfig = ''
        ssl_ecdh_curve X25519:prime256v1:secp521r1:secp384r1;

        log_format main
                '$remote_addr "$remote_user" '
                '"$host" "$request" $status $bytes_sent '
                '"$http_referer" "$http_user_agent" '
                '$gzip_ratio';

        access_log syslog:server=unix:/dev/log main;
        error_log syslog:server=unix:/dev/log info;

        client_body_buffer_size 16m;
        client_body_temp_path /run/nginx-client-bodies;
      '';
      upstreams.grafana = {
        servers = { "unix:${config.services.grafana.settings.server.socket}" = {}; };
      };
      virtualHosts = {
        ${config.services.grafana.settings.server.domain} = {
          forceSSL = true;
          sslCertificate = ./selfsigned.crt;
          sslCertificateKey = "/run/credentials/nginx.service/selfsigned.key";
          locations."/" = {
            proxyPass = "http://grafana/";
            proxyWebsockets = true;
          };
        };
      };
    };
    users.users.nginx.extraGroups = ["grafana"];
    services.grafana = {
      enable = true;
      settings = {
        analytics.reporting_enabled = false;
        server.protocol = "socket";
        server.domain = "grafana.vidhar.yggdrasil";
        security.admin_password = "$__file{${config.sops.secrets."grafana-admin-password".path}}";
        security.secret_key = "$__file{${config.sops.secrets."grafana-secret-key".path}}";
      };
    };
    sops.secrets."grafana-admin-password" = {
      format = "binary";
      sopsFile = ./grafana-admin-password;
      owner = "grafana";
    };
    sops.secrets."grafana-secret-key" = {
      format = "binary";
      sopsFile = ./grafana-secret-key;
      owner = "grafana";
    };
    sops.secrets."selfsigned.key" = {
      format = "binary";
      sopsFile = ./selfsigned.key;
    };
    systemd.services.nginx = {
      preStart = mkForce config.services.nginx.preStart;
      serviceConfig = {
        ExecReload = mkForce "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
        LoadCredential = [ "selfsigned.key:${config.sops.secrets."selfsigned.key".path}" ];

        RuntimeDirectory = mkForce [ "nginx" "nginx-client-bodies" ];
        RuntimeDirectoryMode = "0750";
      };
    };

    services.loki = {
      enable = true;
      configuration = {
        auth_enabled = false;
        server = {
          http_listen_port = 9094;
          grpc_listen_port = 9095;
        };
        common = {
          path_prefix = config.services.loki.dataDir;
          storage.filesystem = {
            chunks_directory = "${config.services.loki.dataDir}/chunks";
            rules_directory = "${config.services.loki.dataDir}/rules";
          };
          replication_factor = 1;
          ring = {
            instance_addr = "127.0.0.1";
            kvstore = {
              store = "inmemory";
            };
          };
        };
        ruler = {
          enable_api = true;
          storage = {
            type = "local";
            local.directory = "${config.services.loki.dataDir}/rules";
          };
          rule_path = "${config.services.loki.dataDir}/rules-temp";
          remote_write = {
            enabled = true;
            client.url = "http://localhost:9090/api/v1/write";
          };
          ring.kvstore.store = "inmemory";
        };
        schema_config.configs = [
          { from = "2022-01-01";
            store = "boltdb-shipper";
            object_store = "filesystem";
            schema = "v11";
            index = {
              prefix = "index_";
              period = "24h";
            };
          }
        ];
      };
    };
    systemd.services.loki = {
      preStart = let
        rulesYaml = generators.toYAML {} {
          groups = [
            { name = "power-failures";
              rules = [
                { record = "apcupsd_power_failures:per_day";
                  expr = "sum by (nodename) (rate({job=\"systemd-journal\"} | json | MESSAGE = \"Power failure.\"[1d])) * 86400";
                }
                { record = "apcupsd_power_failures:per_week";
                  expr = "sum by (nodename) (rate({job=\"systemd-journal\"} | json | MESSAGE = \"Power failure.\"[1w])) * 604800";
                }
              ];
            }
          ];
        };
      in ''
        ${pkgs.coreutils}/bin/install -m 0755 -o ${config.services.loki.user} -g ${config.services.loki.group} -d ${config.services.loki.configuration.ruler.storage.local.directory}/fake
        ${pkgs.coreutils}/bin/ln -sf ${pkgs.writeText "rules.yml" rulesYaml} ${config.services.loki.configuration.ruler.storage.local.directory}/fake/rules.yml
      '';
      serviceConfig.Environment = [
        "ASSUME_NO_MOVING_GC_UNSAFE_RISK_IT_WITH=go1.19"
      ];
    };
    services.promtail = {
      enable = true;
      configuration = {
        server = {
          http_listen_port = 9080;
          grpc_listen_port = 0;
        };
        clients = [
          { url = "http://localhost:9094/loki/api/v1/push"; }
        ];
        scrape_configs = [
          { job_name = "journal";
            journal = {
              json = true;
              max_age = "12h";
              path = "/var/log/journal";
              labels = {
                job = "systemd-journal";
              };
            };
            relabel_configs = [
              { source_labels = ["__journal__systemd_unit"];
                target_label = "unit";
              }
              { source_labels = ["__journal__hostname"];
                target_label = "nodename";
              }
            ];
          }
        ];
      };
    };
    systemd.services.promtail.serviceConfig.Environment = [
      "ASSUME_NO_MOVING_GC_UNSAFE_RISK_IT_WITH=go1.19"
    ];

    services.apcupsd = {
      enable = true;
      configText = ''
        UPSNAME ups01
        UPSCABLE usb
        UPSTYPE usb
        DEVICE
        NISIP 127.0.0.1
        BATTERYLEVEL 10
        MINUTES 5
        POLLTIME 1
        ONBATTERYDELAY 0
        NOLOGON disable
      '';
    };

    services.atftpd = {
      enable = true;
      extraOptions = [
        "--bind-address=10.141.1.1"
      ];
    };

    systemd.user.targets = {
      basic.wants = ["systemd-tmpfiles-setup.service"];
      timers.wants = ["systemd-tmpfiles-clean.timer"];
    };

    services.smartd = {
      enable = true;
      autodetect = false;
      defaults.monitored = "-a -o on -s (S/../.././02|L/../../7/04)";
      devices = map (dev: { device = "/dev/disk/by-path/${dev}"; }) [
        "pci-0000:00:1f.2-ata-1"
        "pci-0000:00:1f.2-ata-3"
        "pci-0000:00:1f.2-ata-4"
        "pci-0000:00:1f.2-ata-5"
        "pci-0000:00:1f.2-ata-6"
        "pci-0000:02:00.0-nvme-1"
        "pci-0000:05:00.0-sas-phy0-lun-0"
        "pci-0000:05:00.0-sas-phy1-lun-0"
        "pci-0000:06:00.0-nvme-1"
      ];
      notifications = {
        test = false;
        mail.enable = false;
        x11.enable = false;
        wall.enable = false;
      };
    };

    zramSwap = {
      enable = true;
      algorithm = "zstd";
    };

    environment.systemPackages = with pkgs; [iotop vmtouch];

    system.stateVersion = "21.05";
  };
}