{ config, pkgs, ... }:

let
  privateConfiguration = import ./private-configuration.nix;
  derivedConfiguration = import ./derived-configuration.nix;
in {
  imports = [ ./hardware-configuration.nix];

  boot.loader.grub = {
    enable = true;
    version = 2;
    device = "/dev/vda";
  };

  networking = {
    useDHCP = false;
    interfaces.ens3.useDHCP = true;
  };

  environment.systemPackages = with pkgs; [
    vim
  ];

  networking.firewall.allowedTCPPorts = [ 80 443 22 ];

  security.acme = {
    acceptTerms = true;
    email = privateConfiguration.letsencryptEmail;
  };

  services = {
    openssh = {
      enable = true;
      permitRootLogin = "no";
      passwordAuthentication = false;
    };

    nginx = {
      enable = true;
      recommendedGzipSettings = true;
      recommendedOptimisation = true;
      recommendedProxySettings = true;
      recommendedTlsSettings = true;
      sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL"; # FIXME: ?????
      virtualHosts = let
        customConfigTLDs = {};
        defaultConfigTLDs = [
          derivedConfiguration.nextcloudTLD
          derivedConfiguration.gitTLD
        ];
        buildDefaultConfiguration = tld:
          {
            "${tld}" = {
              forceSSL = true;
              enableACME = true;
            };
          };
      in
        pkgs.lib.fold
          (tldString: acc: acc // buildDefaultConfiguration tldString)
          customConfigTLDs
          defaultConfigTLDs;

      gitweb = {
        enable = true;
        location = "/";
        virtualHost = derivedConfiguration.gitTLD;
      };
    };

    nextcloud = {
      enable = true;
      hostName = derivedConfiguration.nextcloudTLD;
      nginx.enable = true;
      https = true;
      autoUpdateApps.enable = true;
      autoUpdateApps.startAt = "05:00:00";
      config = {
        overwriteProtocol = "https";

        dbtype = "pgsql";
        dbuser = "nextcloud";
        dbhost = "/run/postgresql"; # nextcloud will add /.s.PGSQL.5432 by itself
        dbname = "nextcloud";
        dbpassFile = "/var/nextcloud-db-pass";

        adminpassFile = "/var/nextcloud-admin-pass";
        adminuser = "admin";
      };
    };

    postgresql = {
      enable = true;
      ensureDatabases = [ "nextcloud" ];
      ensureUsers = [
        {
          name = "nextcloud";
          ensurePermissions."DATABASE nextcloud" = "ALL PRIVILEGES";
        }
      ];
    };

    gitweb = {
      gitwebTheme = true;
      projectroot = "/srv/git";
    };
  };

  # FIXME: is this required?
  systemd.services."nextcloud-setup" = {
    requires = ["postgresql.service"];
    after = ["postgresql.service"];
  };

  users.users.nixos = {
    uid = 1000;
    extraGroups = ["wheel"];
    useDefaultShell = true;
    # FIXME: password hash file?
    openssh.authorizedKeys.keyFiles = [ "/etc/nixos/nixos-user-authorized-key"];
  };

  system.stateVersion = "19.09";
}