{ config, pkgs, ... }:

let
  envsubstConfiguration =
    pkgs.callPackage /opt/secrets/envsubst-configuration.nix { };
  config = rec {
    TLD = envsubstConfiguration.TLD;
    cgitPort = "81";
    openSSHPort = 23841;
  };
in {
  imports = [
    ./hardware-configuration.nix
    (builtins.fetchTarball {
      url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/master/nixos-mailserver-master.tar.gz";
    })
  ];

  boot.loader.grub = {
    enable = true;
    version = 2;
    device = "/dev/vda";
  };

  networking = {
    interfaces.ens3.useDHCP = true;
  };

  nix = {
    gc = {
      automatic = true;
      options = "--delete-older-than 7d";
    };
    # min-free 1G
    extraOptions = ''
      min-free = ${toString (1024 * 1024 * 1024)}
    '';
  };

  environment = {
    systemPackages = let
      c99 = pkgs.tinycc.overrideAttrs (oldAttrs: {
        postInstall = ''
          ln -s $out/bin/tcc $out/bin/c99
        '';
      });
    in with pkgs; [ vim git gitAndTools.git-annex gnumake gnum4 c99 bpytop ];
    shellAliases = { l = "ls -lahF"; };
  };

  networking.firewall.allowedTCPPorts = [
    # SSH: OpenSSH
    config.openSSHPort

    # HTTP and HTPPS: NGINX
    80
    443

    # Git daemon
    9418
  ];

  security = {
    acme = {
      acceptTerms = true;
      email = "eu@euandre.org";
    };
    sudo.enable = false;
    doas = {
      enable = true;
      extraConfig = ''
        permit nopass setenv { NIX_PATH } :wheel
      '';
    };
  };

  services = {
    openssh = {
      enable = true;
      permitRootLogin = "no";
      passwordAuthentication = false;
      ports = [ config.openSSHPort ];
    };

    nginx = {
      enable = true;
      recommendedGzipSettings = true;
      recommendedOptimisation = true;
      recommendedProxySettings = true;
      recommendedTlsSettings = true;
      virtualHosts = {
        "${config.TLD}" = {
          forceSSL = true;
          enableACME = true;
          root = "/srv/http/";
          extraConfig = ''
            # Allow <script type="module" src="..."> 3rd-party HTML pages
            add_header 'Access-Control-Allow-Origin' '*';
            autoindex on;
          '';
        };
        "git.${config.TLD}" = {
          forceSSL = true;
          enableACME = true;
          extraConfig = ''
            location = /favicon.ico {
              alias ${pkgs.cgit}/cgit/favicon.ico;
            }
            location / {
              # Allow <script type="module" src="..."> 3rd-party HTML pages
              add_header 'Access-Control-Allow-Origin' '*';
              proxy_pass http://localhost:${config.cgitPort};
            }
          '';
        };
      };
    };

    lighttpd = {
      enable = true;
      port = pkgs.lib.toInt config.cgitPort;
      cgit = {
        enable = true;
        subdir = "";
        configText = ''
          enable-blame=1
          enable-commit-graph=1
          enable-follow-links=1
          enable-index-owner=0
          enable-log-filecount=1
          enable-log-linecount=1
          enable-html-serving=1
          root-desc=Patches welcome!
          readme=:README.en.md
          readme=:README.md
          readme=:README
          max-repodesc-length=120
          max-repo-count=999
          remove-suffix=1
          root-title=EuAndreh's repositories
          snapshots=tar.xz
          source-filter=${pkgs.cgit}/lib/cgit/filters/syntax-highlighting.py
          about-filter=${pkgs.cgit}/lib/cgit/filters/about-formatting.sh
          scan-path=/srv/http
          mimetype.mjs=text/javascript
        '';
      };
    };

    gitDaemon = {
      enable = true;
      basePath = "/srv/http";
      exportAll = true;
    };

    cron = {
      enable = true;
      systemCronJobs = [
        "30 1 * * 1 root /opt/bin/gc.sh"
        "30 0 * * * root /opt/bin/backup.sh"
      ];
    };
  };

  users = {
    # Improve: make mutable
    mutableUsers = false;
    extraUsers = let
      andrehUser = {
        andreh = {
          uid = 1000;
          isNormalUser = true;
          extraGroups = [ "wheel" ];
          hashedPassword = envsubstConfiguration.hashedPassword;
          openssh.authorizedKeys.keys = [
            "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDF+uy407LKZAFnfFkJPRiOBzwV98qIEcKhITnLYhqfITfrJvcFVOY0/YDCrs6WHXyLdM29AoywVWsQ1qXiB7xQCwknPV8YZoCnJQcn0gvH8jbCk+C8Po0Rx846wbhL49qYolnmlhe+Uoy30j7XIJSDtPVO9d/hZqt2GPwGVJ98HLyY2ak+j4i1YkHr+mPFgnCaqCAzA374d1Bop18+YENYtMMU0k8hCsomwZny/7qNo4V8mjLxQAS8FvTuljxlthEpOM4Jsjl07yDLgE69kLvU7mmFi8EeC26e50N18Ouse82dZigtVhAMeLBhbJnQbDff4WfUBzSjpKjZPGcxoRaej3qSRbIkcMMqCOSlww6GcjRi+COvlpA4c1i4hKI15wHceoiKghDLA6jbaHfOqEMldflYl5gCVUIYzJ5XehZppH6L7PzO+L4suNs+aFjWPDZ0jqEtcyTmgTMea40p7wwz086ExnBDorbG79oDiJrWc+swJjXuVakS+fQjb3mPsCC/FgUhsxEtqiVfvLo2mphp47pOYvs64aUp3RV9muqQNuS4tEuP9V1urGTLtgPL26LEjF0oLu1ag0H+VZY5O/T9KRYvWre8IWbj/KkZYo1tJaGJyEVr0plmyzLBEy8b3Hu/6Wtq7yB0Eii60fxqFWC24nEkvs1V0cxDa+o6I2iA9w== eu@euandre.org"
          ];
        };
      };
      buildUser = (i: {
        "guixbuilder${i}" = {
          group = "guixbuild";
          extraGroups = [ "guixbuild" ];
          home = "/var/empty";
          shell = pkgs.nologin;
          description = "Guix build user ${i}";
          isSystemUser = true;
        };
      });
    in pkgs.lib.fold (str: acc: acc // buildUser str) andrehUser
    (map (pkgs.lib.fixedWidthNumber 2) (builtins.genList (n: n + 1) 10));
    extraGroups.guixbuild = { name = "guixbuild"; };
  };

  mailserver = {
    enable = true;
    fqdn = "mail.${config.TLD}";
    domains = [ config.TLD ];
    loginAccounts = {
      "eu@${config.TLD}" = {
        hashedPasswordFile = "/opt/secrets/mail-user-password-hash.txt";
      	aliases = [ "@${config.TLD}" ];
      };
    };
    certificateScheme = 3;
  };

  systemd = {
    services = {
      guix-daemon = {
        enable = true;
        description = "Build daemon for GNU Guix";
        serviceConfig = {
          ExecStart =
            "/var/guix/profiles/per-user/root/current-guix/bin/guix-daemon --build-users-group=guixbuild";
        };
        wantedBy = [ "multi-user.target" ];
      };
    };
  };

  system = {
    stateVersion = "20.09";
    autoUpgrade = {
      enable = true;
      allowReboot = true;
    };
  };
}