{ config, pkgs, ... }:

{
  imports =
    [ # Include the results of the hardware scan.
      ./hardware.nix
      <home-manager/nixos>
    ];
  nix = {
    settings = {
      auto-optimise-store = true;
      experimental-features = ["nix-command" "flakes"];
    };
  };
  boot = {
    tmp.cleanOnBoot = true;
    loader = {
      systemd-boot.enable = true;
      efi.canTouchEfiVariables = true;
    };
    supportedFilesystems = ["zfs"];
    kernelModules = [ "coretemp" "kvm-amd" "it87" ];
    zfs.extraPools = ["Primary"];
  };

  services = {
    zfs.autoScrub.enable = true;
    tailscale.enable = true;
    openssh.enable = true;
    xserver.videoDrivers = [ "nvidia" ];
    n8n = {
      enable = true;
      openFirewall = true;
    };
    nfs.server.enable = true;
    samba-wsdd.enable = true;
    samba = {
      enable = true;
      securityType = "user";
      extraConfig = ''
    workgroup = WORKGROUP
    server string = smbnix
    netbios name = smbnix
    security = user 
    #use sendfile = yes
    #max protocol = smb2
    # note: localhost is the ipv6 localhost ::1
    hosts allow = 100. 192.168.50. 127.0.0.1 localhost
    hosts deny = 0.0.0.0/0
    guest account = nobody
    map to guest = bad user
  '';
      shares = {
        media = {
          path = "/Primary/media";
          browseable = "yes";
          "read only" = "no";
          "guest ok" = "yes";
          "create mask" = "0644";
          "directory mask" = "0755";
        };
        becki = {
          path = "/Primary/becki";
          browseable = "yes";
          "read only" = "no";
          "guest ok" = "no";
          "create mask" = "0644";
          "directory mask" = "0755";
          "admin users" = "becki";
        };
        shared = {
          path = "/Primary/shared";
          browseable = "yes";
          "read only" = "no";
          "guest ok" = "no";
          "create mask" = "0644";
          "directory mask" = "0755";
        };
        gabriel = {
          path = "/Primary/gabriel";
          browseable = "yes";
          "read only" = "no";
          "guest ok" = "no";
          "create mask" = "0644";
          "directory mask" = "0755";
          "admin users" = "gsimmer";
        };
      };
    };
    plex = {
      enable = true;
      openFirewall = true;
    };
    nginx = {
      enable = true;
      recommendedProxySettings = true;
      recommendedTlsSettings = true;
      # other Nginx options
      virtualHosts."n8n.gmem.ca" =  {
        enableACME = true;
        forceSSL = true;
        acmeRoot = null;
        locations."/" = {
          proxyPass = "http://127.0.0.1:5678";
          proxyWebsockets = true; # needed if you need to use WebSocket
          extraConfig =
            # required when the target is also TLS server with multiple hosts
            # "proxy_ssl_server_name on;" +
            # required when the server wants to use HTTP Authentication
            "proxy_pass_header Authorization;"
          ;
        };
      };
    };
  };

  security.acme = {
    acceptTerms = true;
    defaults = { email = "acme@gmem.ca";
                 dnsProvider = "route53";
                 credentialsFile = "/Primary/gabriel/.aws/credentials";
                 # We don't need to wait for propagation since this is a local DNS server
               };
  };

  networking = {
    hostId = "e1e29bf4";
    hostName = "vancouver";
    domain = "gmem.ca";
    firewall = {
      trustedInterfaces = ["tailscale0"];
      checkReversePath = "loose";
      enable = false;
    };
    nftables.enable = true;
  };
  environment.systemPackages = with pkgs; [
    vim
    wget
    git
    htop
    tailscale
    home-manager
    lm_sensors
    screen
    nix-output-monitor
  ];

  time.timeZone = "Europe/London";
  nixpkgs.config.allowUnfree = true;
  hardware = {
    opengl.enable = true;
    nvidia.modesetting.enable = true;
    pulseaudio.enable = false;
  };

  programs = {
    zsh.enable = true;
    fish.enable = true;
  };
  environment.shells = with pkgs; [ zsh fish ];

  users.users = {
    gsimmer = {
      shell = pkgs.fish;
      isNormalUser = true;
      home = "/Primary/gabriel";
      extraGroups = [ "wheel" "libvirtd" "qemu-libvirtd" ];
      openssh.authorizedKeys.keys = [
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILIztwQxt+jqroFONSgq+xzPMuE2I5Dq/zWPQ8RcTYJr"
        "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAICCc6k8tl2ahB3HtjpGK403Wkk+nQKgIhSgdBXxmXdsEAAAABHNzaDo="
        "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMO7u+6hBN3XJfRFZCxADyLJfI8zGO2pj9AxkF0FecSR8GFuzP77wyUzmHosQcxe/P/N1TeNdfIDCatogqft9w4="
      ];
    };
    becki = {
      shell = pkgs.fish;
      isNormalUser = true;
      home = "/Primary/becki";
    };
    root.openssh.authorizedKeys.keys = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILIztwQxt+jqroFONSgq+xzPMuE2I5Dq/zWPQ8RcTYJr" 
    ];
  };

  home-manager.users.gsimmer = { pkgs, ... }: {
    programs.git = {
      userName = "Gabriel Simmer";
      userEmail = "git@gmem.ca";
    };
    programs.bash.enable = false;

    home.stateVersion = "23.05";
  };

  virtualisation = {
    docker = {
      enable = true;
      rootless = {
        enable = true;
        setSocketVariable = true;
      };
    };
    libvirtd.enable = true;
  };

  sound.enable = true;
  security.rtkit.enable = true;
  services.pipewire = {
    enable = true;
    alsa.enable = true;
    alsa.support32Bit = true;
    pulse.enable = true;
    jack.enable = true;
  };
  system.stateVersion = "23.05";
}