{
  config,
  pkgs,
  lib,
  self,
  ...
}:

{
  imports = [
    ./hardware-configuration.nix
    ./gitea.nix
    ../server.nix
  ];

  nixpkgs = {
    hostPlatform = "x86_64-linux";
    config.allowUnfree = true;
  };

  networking = {
    hostId = "08bf6db3";
    firewall = {
      enable = true;
      allowedTCPPorts = [
        22 # SSH
      ];
    };
  };

  users = {
    users = {
      jellyfin = {
        isSystemUser = true;
        group = "jellyfin";
        shell = "/bin/sh";
        openssh.authorizedKeys.keys = [
          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOaaS+KMAEAymZhIJGC4LK8aMhUzhpmloUgvP2cxeBH4 jellyfin"
        ];
      };
      root = {
        openssh.authorizedKeys.keys = [
          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILVHTjsyMIV4THNw6yz0OxAxGnC+41gX72UrPqTzR+OS jordan@vimium.com"
        ];
      };
    };
    groups = {
      jellyfin = { };
    };
    extraGroups.acme.members = [
      "kanidm"
      "nginx"
    ];
  };

  services.openssh.settings.PermitRootLogin = lib.mkForce "prohibit-password";

  security.acme.certs."auth.vimium.com" = {
    postRun = "systemctl restart kanidm.service";
    group = "acme";
  };

  services.kanidm =
    let
      baseDomain = "vimium.com";
      domain = "auth.${baseDomain}";
      uri = "https://${domain}";
    in
    {
      package = pkgs.unstable.kanidm;
      enableClient = true;
      enableServer = true;
      clientSettings = {
        inherit uri;
      };
      serverSettings = {
        bindaddress = "127.0.0.1:3013";
        ldapbindaddress = "100.64.0.1:636";
        domain = baseDomain;
        origin = uri;
        tls_chain = "${config.security.acme.certs.${domain}.directory}/full.pem";
        tls_key = "${config.security.acme.certs.${domain}.directory}/key.pem";
      };
    };

  services.nginx.virtualHosts = {
    "auth.vimium.com" = {
      useACMEHost = "auth.vimium.com";
      forceSSL = true;
      locations."/" = {
        proxyPass = "https://127.0.0.1:3013";
      };
    };
    "outline.vimium.com" = {
      forceSSL = true;
      enableACME = true;
      locations."/" = {
        proxyPass = "http://127.0.0.1:3000";
        extraConfig = ''
          proxy_set_header Upgrade $http_upgrade;
          proxy_set_header Connection "Upgrade";
          proxy_set_header Host $host;

          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
          proxy_set_header X-Real-IP $remote_addr;
          proxy_set_header X-Scheme $scheme;
          proxy_set_header X-Forwarded-Proto $scheme;
          proxy_redirect off;
        '';
      };
    };
  };

  age.secrets."passwords/services/outline/oidc-client-secret" = {
    file = "${self.inputs.secrets}/passwords/services/outline/oidc-client-secret.age";
    owner = "outline";
    group = "outline";
  };

  services.outline = {
    enable = true;
    forceHttps = false;
    oidcAuthentication = {
      clientId = "outline";
      clientSecretFile = config.age.secrets."passwords/services/outline/oidc-client-secret".path;
      displayName = "Vimium";
      authUrl = "https://auth.vimium.com/ui/oauth2";
      tokenUrl = "https://auth.vimium.com/oauth2/token";
      userinfoUrl = "https://auth.vimium.com/oauth2/openid/outline/userinfo";
    };
    publicUrl = "https://outline.vimium.com";
    storage.storageType = "local";
  };

  modules = rec {
    services = {
      borgmatic = {
        enable = true;
        directories = [
          "/home"
          "/var/lib"
          "/var/www"
        ];
        repoPath = "ssh://p91y8oh7@p91y8oh7.repo.borgbase.com/./repo";
      };
      coturn = {
        enable = true;
        realm = "turn.vimium.com";
        matrixIntegration = true;
      };
      headscale.enable = true;
      matrix = {
        enable = true;
        bridges = {
          signal = true;
          whatsapp = true;
        };
        usePostgresql = services.postgresql.enable;
      };
      nginx.enable = true;
      photoprism.enable = true;
      postgresql.enable = true;
    };
  };

  system.stateVersion = "22.11";
}