{ config, pkgs, lib, ... }:

{
  imports = [
    ../modules/server
    ../modules/server/dns
    ../modules/server/irc
    ../modules/server/nginx
    ../modules/server/tor
    ../modules/users
  ];

  boot.initrd.availableKernelModules = [ "xen_blkfront" ];

  fileSystems = {
    "/" = { device = "rpool/root"; fsType = "zfs"; neededForBoot = true; };
    "/boot" = { device = "/dev/disk/by-partlabel/boot"; fsType = "ext4"; };
    "/nix" = { device = "rpool/nix"; fsType = "zfs"; neededForBoot = true; };
    "/var" = { device = "rpool/var"; fsType = "zfs"; };

    "/home/qyliss" = { device = "rpool/home/qyliss"; fsType = "zfs"; };
    "/root" = { device = "rpool/home/root"; fsType = "zfs"; };
  };

  systemd.enableEmergencyMode = false;

  boot.zfs.devNodes = "/dev";

  swapDevices = [
    { device = "/dev/disk/by-uuid/49f18b74-5f6e-4e61-b569-f7cc9dc5c600"; }
  ];

  nix.maxJobs = 2;

  boot.loader.grub.enable = true;
  boot.loader.grub.version = 2;
  boot.loader.grub.device = "nodev";
  boot.loader.grub.configurationLimit = 2;

  boot.supportedFilesystems = [ "zfs" ];

  networking.hostName = "atuin";
  networking.hostId = "238d1961";
  networking.domain = "qyliss.net";
  networking.interfaces.eth0 = {
    ipv4.addresses = [
      { address = "85.119.82.108"; prefixLength = 21; }
    ];
    ipv6.addresses = [
      { address = "2001:ba8:1f1:f0bc::2"; prefixLength = 64; }
    ];
  };
  networking.defaultGateway = "85.119.80.1";
  networking.defaultGateway6 = { address = "2001:ba8:1f1:f0bc::1"; };
  networking.dhcpcd.enable = false;

  networking.firewall.allowedTCPPorts = [ 80 443 6697 ];
  networking.firewall.extraCommands = ''
    iptables -t nat -A POSTROUTING -s10.100.0.0/24 -j MASQUERADE
  '';

  boot.kernelPackages = pkgs.linuxPackages;
  boot.kernelParams = [ "zfs.zfs_arc_max=356515840" ];

  networking.nat.enable = true;
  networking.nat.externalInterface = "eth0";
  networking.nat.internalInterfaces = [ "wg0" ];

  networking.firewall.allowedUDPPorts = with config; [
    networking.wireguard.interfaces.wg0.listenPort
  ];

  networking.wireguard.interfaces = {
    wg0 = {
      ips = [ "10.172.171.1" ];
      listenPort = 51820;
      privateKeyFile = "/var/lib/wireguard/wg0/private";
      peers = [
        {
          publicKey = "oQZ3fcb9LsnQj8sDYLHf1+hodnW4XEhsM0rNBgHROz8=";
          allowedIPs = [ "10.172.171.2/32" ];
        }
        {
          publicKey = "lu4ZxYq7qpkmIt8z0Q/wb5Y0Wc3fa0ui9wOWn/+xYxI=";
          allowedIPs = [ "10.172.171.3/32" ];
        }
        {
          publicKey = "ugHG/NOqM/9hde9EmWpu7XsCpjT3WQbjLK99IGHtdjQ=";
          allowedIPs = [ "10.13.12.0/24" ];
        }
      ];
    };
  };

  security.acme.acceptTerms = true;
  security.acme.email = "hi@alyssa.is";
  security.acme.certs =
    with lib;
    let
      coalesce = maybe: default: if maybe == null then default else maybe;

      toAttrs = val: if isList val then genAttrs val (_: null) else val;

      vhostDomains = mapAttrsToList
        (name: { serverName, ... }: coalesce serverName name)
        config.services.nginx.virtualHosts;

      domains = {
        "qyliss.net" = {};
        "spectrum-os.org" = { extraDomains = [ "spectrumos.org" ]; };
      };
    in
      mapAttrs (
        domain:
        { postRun ? "systemctl reload nginx.service"
        , webroot ? "/var/lib/acme/acme-challenge"
        , group ? "tls"
        , allowKeysForGroup ? true
        , extraDomains ? {}
        , ...
        } @ value:

        let
          extraDomainsFromVhosts =
            toAttrs (filter (hasSuffix ".${domain}") vhostDomains);
        in
          value // {
            inherit postRun webroot group allowKeysForGroup;
            extraDomains = extraDomainsFromVhosts // (toAttrs extraDomains);
          }
      ) domains;

  users.groups.tls.members = [ "nginx" ];

  services.nginx.virtualHosts =
    let
      vhosts = {
        "znc.qyliss.net".locations."/".proxyPass = "http://127.0.0.1:6667/";
        "spectrumos.org".locations."/".return = "https://spectrum-os.org/";
        "spectrum-os.org".locations."/".root = "/var/www/spectrum-os.org";

        default = {
          serverName = null;
          default = true;
          enableACME = false;
          useACMEHost = "qyliss.net";

          locations."/".return = "https://alyssa.is/";
          locations."/dns-query".proxyPass = "http://[::1]:4448/";
        };

        "git.qyliss.net" = {
          root = "${pkgs.cgit}/cgit";

          locations."@cgit".extraConfig = ''
            fastcgi_param CGIT_CONFIG ${cgitConfig};
            fastcgi_param SCRIPT_FILENAME $document_root/cgit.cgi;
            fastcgi_param PATH_INFO $uri;
            fastcgi_param QUERY_STRING $args;
            fastcgi_param HTTP_HOST $server_name;

            fastcgi_pass unix:/run/fcgiwrap.sock;
          '';

          extraConfig = ''
            try_files $uri @cgit;
          '';
        };
      };

      cgitConfig = pkgs.writeText "cgit.conf" ''
        root-desc=Alyssa Ross's personal Git repositories
        root-title=git.qyliss.net
        virtual-root=/
      '';
    in
      lib.mapAttrs (
        _: { forceSSL ? true, enableACME ? true, ... } @ args:
        args // { inherit forceSSL enableACME; }
      )
        vhosts;

  services.nginx.appendConfig = ''
    stream {
      server {
        listen 6697 ssl;
        ssl_certificate /var/lib/acme/qyliss.net/fullchain.pem;
        ssl_certificate_key /var/lib/acme/qyliss.net/key.pem;
        proxy_pass 127.0.0.1:6667;
      }
    }
  '';

  services.tor.relay.accountingMax = "50 GBytes";
  services.tor.relay.accountingStart = "day 12:00";

  system.stateVersion = "18.03";
}