{ config, pkgs, lib, ... }:

{
  imports = [
    ../../modules
  ];

  networking.domain = "net.clerie.de";

  networking.firewall.logRefusedConnections = lib.mkDefault false;

  time.timeZone = "Europe/Berlin";

  i18n.defaultLocale = "en_US.UTF-8";
  console = {
    keyMap = "de-latin1";
  };

  security.sudo.wheelNeedsPassword = false;

  nix.settings = {
    trusted-users = [ "@wheel" ];
    auto-optimise-store = true;
  };

  users.users.clerie = {
    isNormalUser = true;
    extraGroups = [ "wheel" ];
    openssh.authorizedKeys.keys = [
      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCnUBblmmVoMMBftn4EnwnzqR12m9zill51LpO124hHb10K2rqxNoq8tYSc2pMkV/3briZovffpe5SzB+m2MnXbtOBstIEXkrPZQ78vaZ/nLh7+eWg30lCmMPwjf2wIjlTXkcbxbsi7FbPW7FsolGkU/0mqGhqK1Xft/g7SnCXIoGPSSrHMXEv5dPPofCa1Z0Un+98wQTVfOSKek6TnIsfLbG01UFQVkN7afE4dqSmMiWwEm2PK9l+OiBA2/QzDpbtu9wsfTol4c192vFEWR9crB2YZ1JlMbjVWHjYmB7NFsS0A6lUOikss0Y+LUWS2/QuM/kqybSo4rasZMAIazM6D clerie"
    ];
  };

  environment.systemPackages = with pkgs; [
    gptfdisk
    htop
    parted
    tmux
    colmena
    git
    vim
  ];

  programs.mtr.enable = true;

  services.openssh.enable = true;
  services.openssh.passwordAuthentication = false;
  services.openssh.kbdInteractiveAuthentication = false;
  services.openssh.permitRootLogin = lib.mkDefault "no";

  nix.gc = lib.mkDefault {
    automatic = true;
    dates = "weekly";
    options = "--delete-older-than 30d";
  };

  services.nginx = {
    enableReload = true;
    recommendedGzipSettings = true;
    recommendedOptimisation = true;
    recommendedProxySettings = true;
    recommendedTlsSettings = true;

    appendHttpConfig = ''
      server_names_hash_bucket_size 64;
    '';

    virtualHosts = {
      "default" = {
        default = true;
        rejectSSL = true;
        locations."/" = {
          return = ''200 "Some piece of infrastructure\n"'';
          extraConfig = ''
            types { } default_type "text/plain; charset=utf-8";
          '';
        };
      };
    };
  };

  security.acme = {
    defaults.email = "letsencrypt@clerie.de";
    acceptTerms = true;
  };

  nix.settings = {
    experimental-features = [ "nix-command" "flakes" ];
    substituters = [
      "https://nix-cache.clerie.de"
    ];
    trusted-public-keys = [
      "nix-cache.clerie.de:bAt1GJTS9BOTcXFWj3nURrSlcjqikCev9yDvqArMP5g="
    ];
  };

  nixpkgs.overlays = [
    (import ../../pkgs/overlay.nix)
  ];
}