{ config, lib, pkgs, inputs, ... }:

{
  imports = [
    ./hardware-configuration.nix
    ../server.nix
  ];

  networking.hostId = "731d1660";

  hardware = {
    raspberry-pi."4" = {
      apply-overlays-dtmerge.enable = true;
      audio.enable = false;
      fkms-3d.enable = false;
      xhci.enable = false;
    };
    deviceTree = {
      enable = true;
      overlays = [
        { name = "hifiberry-digi-pro"; dtboFile = "${pkgs.device-tree_rpi.overlays}/hifiberry-digi-pro.dtbo"; }
      ];
    };
    firmware = with pkgs; [
      firmwareLinuxNonfree
      wireless-regdb
    ];
  };

  sound.enable = true;

  age.secrets."passwords/networks.age" = {
    file = "${inputs.secrets}/passwords/networks.age";
  };

  networking = {
    wireless = {
      enable = true;
      interfaces = [ "wlan0" ];
      environmentFile = config.age.secrets."passwords/networks.age".path;
      networks = {
        "Apollo 600 Mbps".psk = "@PSK_APOLLO@";
      };
    };
  };

  security.rtkit.enable = true;
  services.pipewire = {
    enable = true;
    alsa.enable = true;
    alsa.support32Bit = true;
    pulse.enable = true;
    systemWide = true;
  };

  virtualisation.oci-containers = {
    backend = "podman";
    containers.homeassistant = {
      volumes = [ "home-assistant:/config" ];
      environment.TZ = config.time.timeZone;
      image = "ghcr.io/home-assistant/home-assistant:stable";
      extraOptions = [
        "--network=host"
        "--device=/dev/ttyUSB0:/dev/ttyUSB0"
      ];
    };
  };

  services.mosquitto = {
    enable = true;
    listeners = [{
      port = 1883;
      settings = {
        allow_anonymous = true;
      };
    }];
  };

  age.secrets."files/services/zigbee2mqtt/secret.yaml" = {
    file = "${inputs.secrets}/files/services/zigbee2mqtt/secret.yaml.age";
    path = "${config.services.zigbee2mqtt.dataDir}/secret.yaml";
    owner = "zigbee2mqtt";
    group = "zigbee2mqtt";
  };

  services.zigbee2mqtt = {
    enable = true;
    dataDir = "/var/lib/zigbee2mqtt";
    settings = {
      homeassistant = true;
      frontend = true;
      device_options = {
        retain = true;
      };
      serial = {
        port = "/dev/ttyUSB0";
      };
      advanced = {
        channel = 20;
        network_key = "!secret.yaml network_key";
        pan_id = 13001;
        ext_pan_id = [ 79 1 73 47 250 136 124 222 ];
      };
      mqtt = {
        version = 5;
        server = "mqtt://localhost:1883";
      };
    };
  };

  age.secrets."passwords/services/borg/pi-passphrase" = {
    file = "${inputs.secrets}/passwords/services/borg/pi-passphrase.age";
  };

  services.borgmatic = {
    enable = true;
    settings = {
      source_directories = [
        "/var/lib/mosquitto"
        "/var/lib/zigbee2mqtt"
      ];
      repositories = [
        { label = "borgbase"; path = "ssh://qcw86s11@qcw86s11.repo.borgbase.com/./repo"; }
      ];
      storage = {
        encryption_passcommand = "cat ${config.age.secrets."passwords/services/borg/pi-passphrase".path}";
        ssh_command = "ssh -i /etc/ssh/ssh_host_ed25519_key";
      };
      retention = {
        keep_daily = 7;
        keep_weekly = 4;
        keep_monthly = 6;
      };
    };
  };

  # Without this override, `cat` is unavailable for `encryption_passcommand`
  systemd.services.borgmatic.confinement.fullUnit = true;

  environment.systemPackages = with pkgs; [
    libraspberrypi
    raspberrypi-eeprom
  ];

  system.stateVersion = "22.11";
}