{ config, lib, self, ... }:

{
  imports = [
    ./hardware-configuration.nix
    ../server.nix
  ];

  nixpkgs.hostPlatform = "x86_64-linux";

  networking = {
    hostId = "08bf6db3";
    firewall = {
      enable = true;
      allowedTCPPorts = [
        22    # SSH
      ];
    };
  };

  users = {
    users = {
      jellyfin = {
        isSystemUser = true;
        group = "jellyfin";
        shell = "/bin/sh";
        openssh.authorizedKeys.keys = [
          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOaaS+KMAEAymZhIJGC4LK8aMhUzhpmloUgvP2cxeBH4 jellyfin"
        ];
      };
      root = {
        openssh.authorizedKeys.keys = [
          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILVHTjsyMIV4THNw6yz0OxAxGnC+41gX72UrPqTzR+OS jordan@vimium.com"
        ];
      };
    };
    groups = {
      jellyfin = { };
    };
  };

  services.openssh.settings.PermitRootLogin = lib.mkForce "prohibit-password";

  services.postgresql = {
    ensureUsers = [
      {
        name = "zitadel";
        ensureDBOwnership = true;
        ensureClauses = {
          createdb = true;
          createrole = true;
        };
      }
    ];
    ensureDatabases = [ "zitadel" ];
  };

  age.secrets."files/services/zitadel/masterkey" = {
    file = "${self.inputs.secrets}/files/services/zitadel/masterkey.age";
    owner = "zitadel";
    group = "zitadel";
  };

  systemd.services.zitadel.after = [ "postgresql.service" ];
  services.zitadel = {
    enable = true;
    masterKeyFile = config.age.secrets."files/services/zitadel/masterkey".path;
    settings = {
      Database.postgres = {
        Host = "/run/postgresql";
        Port = 5432;
        Database = "zitadel";
        User = {
          Username = "zitadel";
          SSL.Mode = "disable";
        };
        Admin = {
          ExistingDatabase = "zitadel";
          Username = "zitadel";
          SSL.Mode = "disable";
        };
      };
      DefaultInstance = {
        InstanceName = "Vimium";
        Org = {
          Name = "Vimium";
          Human = {
            UserName = "admin@vimium.com";
            FirstName = "Vimium";
            LastName = "Admin";
          };
        };
        DomainPolicy.UserLoginMustBeDomain = true;
      };
      ExternalDomain = "id.vimium.com";
      ExternalPort = 443;
      ExternalSecure = true;
      Port = 8081;
      WebAuthNName = "Vimium";
    };
    steps.FirstInstance = {
      InstanceName = "Vimium";
      Org.Human = {
        UserName = "jordan@vimium.com";
        FirstName = "Jordan";
        LastName = "Holt";
        Email.Address = "jordan@vimium.com";
      };
    };
  };

  services.nginx.virtualHosts."id.vimium.com" = {
    enableACME = true;
    forceSSL = true;
    locations."/" = {
      proxyPass = "http://localhost:${builtins.toString config.services.zitadel.settings.Port}";
      extraConfig = ''
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
      '';
    };
  };

  modules = rec {
    databases.postgresql.enable = true;
    services = {
      borgmatic = {
        enable = true;
        directories = [
          "/home"
          "/var/lib"
          "/var/www"
        ];
        repoPath = "ssh://p91y8oh7@p91y8oh7.repo.borgbase.com/./repo";
      };
      coturn = {
        enable = true;
        realm = "turn.vimium.com";
        matrixIntegration = true;
      };
      gitea.enable = true;
      headscale.enable = true;
      matrix = {
        enable = true;
        bridges = {
          signal = true;
          whatsapp = true;
        };
        usePostgresql = databases.postgresql.enable;
      };
      nginx.enable = true;
      photoprism.enable = true;
    };
  };

  system.stateVersion = "22.11";
}