# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page, on
# https://search.nixos.org/options and in the NixOS manual (`nixos-help`).

{
  inputs,
  outputs,
  config,
  lib,
  pkgs,
  ...
}:
let
  user = "admin";
  passwordFile = config.sops.secrets."jallen-nas/admin_password".path;
in
{
  imports = [
    # Include the results of the hardware scan.
    ./hardware-configuration.nix
    ./filesystems.nix
    ./boot.nix
    ./apps.nix
    ./networking.nix
    ./ups.nix
    ./samba.nix
    ./services.nix
    ./sops.nix
    ../default.nix
  ];

  nix.settings.experimental-features = [
    "nix-command"
    "flakes"
  ];

  # Cockpit
  services.cockpit = {
    enable = true;
    port = 9090;
    settings = {
      WebService = {
        AllowUnencrypted = true;
      };
    };
  };

  nix.settings.trusted-users = [ "@wheel" ];
  powerManagement.cpuFreqGovernor = "powersave";

  share.hardware.nvidia = {
    enable = true;
    enableBeta = false;
    enableOpen = true;
    nvidiaSettings = true;
    enableNvidiaDocker = true;
  };

  security.tpm2 = {
    enable = true;
  };

  # Configure environment
  environment = {
    #    etc."nut/upsd.conf".source = /home/matt/upsd.conf;
    #    etc."nut/upsd.users".source = /home/matt/upsd.users;
    #    etc."nut/upsmon.conf".source = /home/matt/upsmon.conf;

    etc.crypttab.text = ''
      ssd1 UUID=eff4b19c-aba7-41ab-b452-a8c6654d8754 none tpm2-device=auto
      ssd2 UUID=c8640e19-6cd9-49d0-a355-bac09d17ea0d none tpm2-device=auto
      hdd1 UUID=8d7dd657-d9b0-47ed-97e1-a9d1eba12b56 none tpm2-device=auto
      hdd2 UUID=11ee92b0-6334-4be7-bb2d-d85f5a3f51a6 none tpm2-device=auto
      hdd3 UUID=4463ea6f-3fcf-4e49-80c8-ba7f424471f0 none tpm2-device=auto
      hdd4 UUID=13fe7737-b72b-4d5f-a79d-1ca0d438f8f0 none tpm2-device=auto
      hdd5 UUID=2b4be219-613d-4512-8277-0260989d5377 none tpm2-device=auto
    '';

    # List packages installed in system profile. To search, run:
    # $ nix search wget

    sessionVariables = rec {
      CACHIX_AGENT_TOKEN = "eyJhbGciOiJIUzI1NiJ9.eyJqdGkiOiJlY2RjYjJiNi05YWQ4LTRiYmMtYWEwYS1mNGU5Yzk1ODM2OTMiLCJzY29wZXMiOiJhZ2VudCJ9.8SENqsNZ-UIFV4atm-cZnMT6LR08Iz_raAZi5QVsppo";
    };

    systemPackages = with pkgs; [
      authentik
      binutils
      cryptsetup
      clinfo
      cmake
      duperemove
      efibootmgr
      ffmpeg
      gcc
      glances
      htop
      lm_sensors
      nano
      ninja
      nix-inspect
      nix-ld
      nmon
      nodejs-18_x
      nut
      packagekit
      pass
      pciutils
      protonmail-bridge
      protonvpn-cli
      python3
      sbctl
      speedtest-cli
      tailscale
      tpm2-tools
      tpm2-tss
      vim
      vulkan-tools
      wget
    ];
  };

  # Configure programs
  programs = {
    fish.enable = false;
    virt-manager.enable = true;
    nix-ld.enable = true;
    screen.enable = true;
  };

  # Configure nixpkgs
  nixpkgs = {
    overlays = [ outputs.overlays.nixpkgs-unstable ];

    config = {
      # Enable non free
      allowUnfree = true;

      permittedInsecurePackages = [
        # ...
      ];
    };
  };

  # Define a user account. Don't forget to set a password with ‘passwd’.
  users = {
    # See https://search.nixos.org/options?channel=unstable&show=users.mutableUsers&from=0&size=50&sort=relevance&type=packages&query=users.users
    mutableUsers = false;
    groups.jallen-nas.gid = 1000; # create nas group cause truenas perms

    # Admin account
    users."${user}" = {
      isNormalUser = true;
      linger = true;
      extraGroups = [
        "wheel"
        "networkmanager"
        "docker"
        "podman"
        "libvirtd"
        "nix-apps"
        "jallen-nas"
      ]; # Enable ‘sudo’ for the user.
      hashedPasswordFile = passwordFile;
      shell = pkgs.zsh;
      openssh.authorizedKeys.keys = [
        # macBook
        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCw9zq8DLGByI5v2gAn95hKNyOsm3g61a2buxu2BBMFysQJgmZPCCLUqRJKhSM5Vm/JOgsAmdpRBRZQoHD+6S844CJHb4v4VIbjkyQgYCuM7Rst2IOZ5QybvsA2/D0nwytZ+HXQqDj2AagUYDbz0gyyIHkDQ5YGBMkvkWz/h1Vci6aoBM7VihEDM4KlWoTVuPeASGM8r5IZ2FS83Djbqo4ov6AYvLMrKB9Z7hmFgH6R3LE0gxOkzbGVXtSuvJyrjvgytoT22UhATjjxSQ9D+YJXXkQoB3lUdg8OoIquUPjMZpl4mR8ffvseWPfcvD1XlD5t+TOHFqKpESO547tlOBYhdpew+NSgAXpamCU6oyV8tDCywLQu2ucxHRn78u6WXzWHkDtffdhzmk6TZaPhWqVHuTGjR4higBgGqUfSaKOMszt+FDRZAr3HtuQ2+zJ8bowK9fW5OqilTtK2HtQqroD9ApegDNbqOz6kGy5IycSXvqPURy/M4lxZxbtBPuemcJs= mattjallen@MacBook-Pro.local"
        # desktop windows
        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDZ2PYPjZddOzR8OJj16G88KcUhCDLkvrEmpUQP0wKHDUuA27HQQ2ORo66asadwGHY3k1VDZ1ei9l9H++SIIeKOaaUr5yZdktvj4POUNtbd9ZhcS7sZU7BSF+NMDM+h3tImh6z0S7mWvRQOUv3ZM+ZER+5xTWJVG1OOJEpb1drxJk6Qz0wbZKSR7TPNFBLLXlVy7hkNYf07RtDyhCCxNB3hJfa8c+oztnWumwDhDQWLqiUXWIU2QH6iRLGl/WYnujtNvVVaV/Hn3JJkS6MM9dnV3cpoIO0+J7+WfsN9rZ0wXt5yY3GhiGXwmcO5eYVli8lHlLWtK7aYSETyry6CBsLbojzOQO5rSqhpwfF2njAAFAQU0UjLc8PahisIuFKCwHH4iyXXOagiv5K1Mc/0Ak+WhhMPee6vV2p7NTyNpXRvouDbWy5cSRH31WgQ9fK5mIGe5v8nGGqtEhUubUkiOgP+H3UbT2V/nTv/TFKdJcKw+WmizvTrxBmaMjWALlkYl+s= mattl@Jallen-PC"
        # desktop nixos
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPTBMydhOc6SnOdB5WrEd7X07DrboAtagCUgXiOJjLov matt@matt-nixos"
      ];
      packages = with pkgs; [
        fastfetch
        git
        parted
        aspell
        aspellDicts.en
        aspellDicts.en-computers
        aspellDicts.en-science
        aha
        papirus-icon-theme
        firefox
      ];
    };

    # Nix app account
    users.nix-apps = {
      isSystemUser = true;
      uid = 911;
      group = "jallen-nas";
      extraGroups = [
        "jallen-nas"
        "docker"
        "podman"
        config.services.redis.servers.nextcloud.user
      ]; # Enable ‘sudo’ for the user.
      hashedPasswordFile = passwordFile;
    };

    groups.nut.name = "nut";
    users.upsuser = {
      group = "nut";
      isNormalUser = false;
      isSystemUser = true;
      createHome = true;
      home = "/var/lib/nut";
      hashedPasswordFile = passwordFile;
    };

    users.nextcloud = {
      isNormalUser = true;
      extraGroups = [
        "jallen-nas"
        "nix-apps"
      ];
      hashedPasswordFile = passwordFile;
    };
  };

  # Virtualisation
  virtualisation = {
    docker = {
      enable = true;
      enableOnBoot = true;
    };

    libvirtd.enable = true;
  };

  # This option defines the first version of NixOS you have installed on this particular machine,
  # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.
  #
  # Most users should NEVER change this value after the initial install, for any reason,
  # even if you've upgraded your system to a new NixOS release.
  #
  # This value does NOT affect the Nixpkgs version your packages and OS are pulled from,
  # so changing it will NOT upgrade your system.
  #
  # This value being lower than the current NixOS release does NOT mean your system is
  # out of date, out of support, or vulnerable.
  #
  # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration,
  # and migrated your data accordingly.
  #
  # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion .
  system.stateVersion = "23.11"; # Did you read the comment?
}