{ config, pkgs, ... }:

{
  imports =
    [ # Include the results of the hardware scan.
      ./hardware.nix
    ];

  nixpkgs.config.allowUnfree = true;
  nix.settings.experimental-features = [ "nix-command" "flakes" ];
  boot.tmp.cleanOnBoot = true;
  zramSwap.enable = true;
  environment.systemPackages = with pkgs; [
    vim
    wget
    git
    htop
    tailscale
  ];

  services.gitea-actions-runner = {
    package = pkgs.forgejo-actions-runner;
    instances = {
      oracle-arm = {
        name = "oracle-arm";
        enable = true;
        labels = [
          "debian-latest-arm:docker://node:18-bullseye"
        ];
        url = "https://git.gmem.ca";
        token = "dcSqNPRfeAFjAA2NUzZRbO4Q2k1L2WOOCAEAhPR4";
        settings = {
          cache.port = 4328;
        };
      };
    };
  };

  programs.zsh.enable = true;
  programs.fish.enable = true;
  environment.shells = with pkgs; [ zsh fish ];

  networking = {
    hostName = "forgejo-action-runner";
    domain = "gmem.ca";
    nameservers = [ "1.1.1.1" "1.0.0.1" ];
    firewall = {
      trustedInterfaces = ["tailscale0"];
      checkReversePath = "loose";
      enable = true;
      allowedTCPPorts = [ 22 80 443 4328 ];
      allowedUDPPorts = [ ];
    };
    nftables.enable = true;
  };
  
  users.users = {
    root.openssh.authorizedKeys.keys = let
      authorizedKeys = pkgs.fetchurl {
        url = "https://gmem.ca/ssh";
        hash = "sha256-7PpFDgWVfp26c9PuW+2s3O8MBAODtHr4q7WU/l3BoG4=";
      };
    in pkgs.lib.splitString "\n" (builtins.readFile
      authorizedKeys);
  };
  virtualisation = {
    docker = {
      enable = true;
    };
  };
  
  services.openssh.enable = true;
  services.tailscale.enable = true;
  system.stateVersion = "23.11";
}