{ config, pkgs, ... }:

let
  envsubstConfiguration =
    pkgs.callPackage /etc/nixos/envsubst-configuration.nix { };
  config = rec {
    TLD = envsubstConfiguration.TLD;
    cgitPort = "81";
    openSSHPort = 23841;
    docs-projects = [
      "boneco"
      "pdfs-da-d-maria"

      "package-repository"
      "servers"

      "remembering"
      "autoqemu"
      "fallible"
      "sharedc"
      "mediator"
      "gluilo"
    ];
  };
  site-for-project = project-name: {
    "${project-name}.${config.TLD}" = {
      forceSSL = true;
      enableACME = true;
      root = "/srv/http/${project-name}/";
    };
  };
in {
  imports = [ ./hardware-configuration.nix ];

  boot.loader.grub = {
    enable = true;
    version = 2;
    device = "/dev/vda";
  };

  networking = {
    useDHCP = false;
    interfaces.ens3.useDHCP = true;
  };

  nix = {
    gc = {
      automatic = true;
      options = "--delete-older-than 7d";
    };
    # min-free 1G
    extraOptions = ''
      min-free = ${toString (1024 * 1024 * 1024)}
    '';
  };

  environment = {
    systemPackages = let
      c99 = pkgs.tinycc.overrideAttrs (oldAttrs: {
        postInstall = ''
          ln -s $out/bin/tcc $out/bin/c99
        '';
      });
    in with pkgs; [ vim git gitAndTools.git-annex gnumake c99 ];
    shellAliases = { l = "ls -lahF"; };
  };

  networking.firewall.allowedTCPPorts = [
    # SSH: OpenSSH
    config.openSSHPort

    # HTTP and HTPPS: NGINX
    80
    443

    # Git protocol
    9418
  ];

  security = {
    acme = {
      acceptTerms = true;
      email = "eu@euandre.org";
    };
    sudo.enable = false;
    doas = {
      enable = true;
      extraConfig = ''
        permit nopass setenv { NIX_PATH } :wheel
      '';
    };
  };

  services = {
    openssh = {
      enable = true;
      permitRootLogin = "no";
      passwordAuthentication = false;
      ports = [ config.openSSHPort ];
    };

    nginx = {
      enable = true;
      recommendedGzipSettings = true;
      recommendedOptimisation = true;
      recommendedProxySettings = true;
      recommendedTlsSettings = true;
      virtualHosts =
        pkgs.lib.fold (project: acc: acc // site-for-project project) { }
        config.docs-projects // {
          "git.${config.TLD}" = {
            forceSSL = true;
            enableACME = true;
            extraConfig = ''
              location = /favicon.ico {
                alias ${pkgs.cgit}/cgit/favicon.ico;
              }
              location / {
                proxy_pass http://localhost:${config.cgitPort};
              }
            '';
          };
        };
    };

    lighttpd = {
      enable = true;
      port = pkgs.lib.toInt config.cgitPort;
      cgit = {
        enable = true;
        subdir = "";
        configText = ''
          enable-blame=1
          enable-commit-graph=1
          enable-follow-links=1
          enable-index-owner=0
          enable-log-filecount=1
          enable-log-linecount=1
          root-desc=Patches welcome!
          readme=:README.md
          readme=:README
          max-repodesc-length=120
          remove-suffix=1
          root-title=EuAndreh's repositories
          snapshots=tar.gz
          source-filter=${pkgs.cgit}/lib/cgit/filters/syntax-highlighting.py
          about-filter=${pkgs.cgit}/lib/cgit/filters/about-formatting.sh
          scan-path=/srv/git
        '';
      };
    };

    gitDaemon = {
      enable = true;
      basePath = "/srv/git";
      exportAll = true;
    };

    cron = {
      enable = true;
      systemCronJobs = [
        "30 1 * * 1 root /opt/bin/gc.sh"
        "30 0 * * * root /opt/bin/backup.sh"
      ];
    };
  };

  users = {
    # Improve: make mutable
    mutableUsers = false;
    extraUsers = let
      andrehUser = {
        andreh = {
          uid = 1000;
          isNormalUser = true;
          extraGroups = [ "wheel" ];
          hashedPassword = envsubstConfiguration.hashedPassword;
          openssh.authorizedKeys.keys = [
            # FIXME: use ~/.ssh/id_rsa
            "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDF+uy407LKZAFnfFkJPRiOBzwV98qIEcKhITnLYhqfITfrJvcFVOY0/YDCrs6WHXyLdM29AoywVWsQ1qXiB7xQCwknPV8YZoCnJQcn0gvH8jbCk+C8Po0Rx846wbhL49qYolnmlhe+Uoy30j7XIJSDtPVO9d/hZqt2GPwGVJ98HLyY2ak+j4i1YkHr+mPFgnCaqCAzA374d1Bop18+YENYtMMU0k8hCsomwZny/7qNo4V8mjLxQAS8FvTuljxlthEpOM4Jsjl07yDLgE69kLvU7mmFi8EeC26e50N18Ouse82dZigtVhAMeLBhbJnQbDff4WfUBzSjpKjZPGcxoRaej3qSRbIkcMMqCOSlww6GcjRi+COvlpA4c1i4hKI15wHceoiKghDLA6jbaHfOqEMldflYl5gCVUIYzJ5XehZppH6L7PzO+L4suNs+aFjWPDZ0jqEtcyTmgTMea40p7wwz086ExnBDorbG79oDiJrWc+swJjXuVakS+fQjb3mPsCC/FgUhsxEtqiVfvLo2mphp47pOYvs64aUp3RV9muqQNuS4tEuP9V1urGTLtgPL26LEjF0oLu1ag0H+VZY5O/T9KRYvWre8IWbj/KkZYo1tJaGJyEVr0plmyzLBEy8b3Hu/6Wtq7yB0Eii60fxqFWC24nEkvs1V0cxDa+o6I2iA9w== eu@euandre.org"
          ];
        };
      };
      buildUser = (i: {
        "guixbuilder${i}" = {
          group = "guixbuild";
          extraGroups = [ "guixbuild" ];
          home = "/var/empty";
          shell = pkgs.nologin;
          description = "Guix build user ${i}";
          isSystemUser = true;
        };
      });
    in pkgs.lib.fold (str: acc: acc // buildUser str) andrehUser
    (map (pkgs.lib.fixedWidthNumber 2) (builtins.genList (n: n + 1) 10));
    extraGroups.guixbuild = { name = "guixbuild"; };
  };

  systemd = {
    services = {
      guix-daemon = {
        enable = true;
        description = "Build daemon for GNU Guix";
        serviceConfig = {
          ExecStart =
            "/var/guix/profiles/per-user/root/current-guix/bin/guix-daemon --build-users-group=guixbuild";
        };
        wantedBy = [ "multi-user.target" ];
      };
    };
  };

  system = {
    stateVersion = "20.09";
    autoUpgrade = {
      enable = true;
      allowReboot = true;
    };
  };
}