# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page, on
# https://search.nixos.org/options and in the NixOS manual (`nixos-help`).
{
  config,
  lib,
  pkgs,
  ...
}: {
  imports = [
    # Include the results of the hardware scan.
    ./hardware-configuration.nix
  ];

  age.secrets.dnsmasq-nextdns-profile = {
    file = ../../secrets/dnsmasq-nextdns-profile.age;
    owner = "dnsmasq";
  };

  nix = {
    settings = {
      auto-optimise-store = true;
      experimental-features = ["nix-command" "flakes"];
    };
  };
  # Use the systemd-boot EFI boot loader.
  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;

  networking = {
    hostName = "dnsmasq-cache"; # Define your hostname.
    firewall = {
      enable = true;
      allowedUDPPorts = [53];
      allowedTCPPorts = [22 53 9153];
      trustedInterfaces = ["enp6s18" "tailscale0"];
      checkReversePath = "loose";
      allowedUDPPortRanges = [
        {
          from = 3000;
          to = 22000;
        }
      ];
    };

    nftables.enable = true;
  };

  services = {
    openssh.enable = true;
    tailscale.enable = true;
    dnsmasq = {
      enable = true;
      settings = {
        interface = "tailscale0";
        cache-size = "4000";
        no-resolv = true;
        bogus-priv = true;
        strict-order = true;
        server = ["2a07:a8c1::" "45.90.30.0" "2a07:a8c0::" "45.90.28.0"];
        conf-file = "${config.age.secrets.dnsmasq-nextdns-profile.path}";
      };
    };
  };

  environment = {
    systemPackages = with pkgs; [
      tailscale
    ];
  };

  virtualisation.oci-containers.containers = {
    dnsmasq_exporter = {
      image = "git.gmem.ca/arch/dnsmasq_exporter";
      extraOptions = ["--network=host"];
    };
  };

  system.stateVersion = "23.11"; # Did you read the comment?
}