{ config, pkgs, ... }:

let
  sshKeys = with (import ../../sshKeys.nix); [
    basado
    moon
    allegro
    hs
  ];
  domain = "antoinev.freeboxos.fr";
  utils = import ../utils.nix;
in {
  imports = [
    ./hardware-configuration.nix
    ./syncthing.nix
    ./disks.nix
    ./backup.nix
    ../common.nix
    ../forgejo.nix
    (import ../remote-disk-unlock.nix ["r8169"] sshKeys)
  ];

  boot = {
    loader.systemd-boot.enable = true;
    loader.efi.canTouchEfiVariables = true;
  };

  hardware = {
    graphics = {
      enable = true;
      enable32Bit = true;
      extraPackages = with pkgs; [ nvidia-vaapi-driver ];
    };
    nvidia.package = config.boot.kernelPackages.nvidiaPackages.legacy_535;
  };
  services.xserver.videoDrivers = [ "nvidia" ];

  networking.hostName = "hs"; # Define your hostname.
  networking.domain = domain;

  users.users.ant = {
    isNormalUser = true;
    description = "ant";
    extraGroups = [
      "networkmanager"
      "wheel"
      "jellyfin"
    ];
    openssh.authorizedKeys.keys = sshKeys;
  };
  security.sudo.wheelNeedsPassword = false;

  nixpkgs.config.allowUnfree = true;
  environment.systemPackages = with pkgs; [ neovim tmux nh git curl wget htop ];

  services.openssh = {
    enable = true;
    settings.PasswordAuthentication = false;
  };

  # Open ports in the firewall.
  networking.firewall.allowedTCPPorts = [
    80
    443 # ssl
    25565
  ];
  networking.firewall.allowedUDPPorts = [ 25565 ];

  services.fail2ban.enable = true;

  networking.interfaces.enp9s0.wakeOnLan.enable = true;
  systemd.services.ragnamod = {
    enable = false;
    after = [ "network.target" ];
    wantedBy = [ "default.target" ];
    description = "Ragnamod server";
    path = [ pkgs.jre ];
    serviceConfig = {
      Type = "simple";
      ExecStart = "/home/ant/ragnamod/startserver.sh";
      User = "ant";
    };
  };

  services.glances = {
    enable = true;
    openFirewall = true;
  };

  services.immich = {
    enable = true;
    accelerationDevices = null;
  };
  users.users.immich.extraGroups = [ "video" "render" ];

  services.nginx = {
    enable = true;
    recommendedGzipSettings = true;
    recommendedOptimisation = true;
    recommendedProxySettings = true;
    recommendedTlsSettings = true;
    virtualHosts = {
      "immich.antoinevaure.fr" = {
        enableACME = true;
        forceSSL = true;
        locations."/" = {
          proxyWebsockets = true;
          recommendedProxySettings = true;
          extraConfig = ''
            client_max_body_size 50000M;
            proxy_read_timeout   600s;
            proxy_send_timeout   600s;
            send_timeout         600s;
          '';
          proxyPass =
            "http://localhost:${builtins.toString config.services.immich.port}";
        };
      };

      "jellyfin.antoinevaure.fr" = (utils.reverseProxy 8096);
      # "sonarr.${domain}" = (reverseProxy 8989);
      # "radarr.${domain}" = (reverseProxy 7878);
      # "qbittorrent.${domain}" = (reverseProxy qbittorrentPort);
      "git.antoinevaure.fr" = (utils.reverseProxy 3000);
      # "nextcloud.${domain}" = {
      #   enableACME = true;
      #   forceSSL = true;
      # };
      "nixcache.antoinevaure.fr" = (utils.reverseProxy config.services.nix-serve.port);
    };
  };

  security.acme = {
    acceptTerms = true;
    defaults.email = "contact@antoinevaure.fr";
  };

  services.jellyfin.enable = true;

  system.stateVersion = "24.11";

  services.nix-serve = {
    enable = true;
    secretKeyFile = "/var/cache-priv-key.pem";
  };
}