{ config, lib, pkgs, ... }:

with lib;
let primary-ip = "10.0.0.21";

in {
  config = {
    networking = {
      defaultGateway = {
        address = "10.0.0.1";
        interface = "intif0";
      };

      interfaces = {
        intif0 = {
          useDHCP = false;
          ipv4.addresses = [{
            address = primary-ip;
            prefixLength = 22;
          }];
        };
      };
    };

    fudo.secrets = {
      secret-group = "fudo-secrets";
      secret-users = [ "niten" ];
      secret-paths = [ "/state/secrets" ];
    };

    # boot.kernelParams = [ "nomodeset" ];
    # console.font = "VGA";

    systemd.tmpfiles.rules = [
      "L /root/.gnupg - - - - /state/root/gnupg"
      # "L /root/.emacs.d - - - - /state/root/emacs.d"
      "L /root/.ssh/id_rsa - - - - /state/root/ssh/id_rsa"
      "L /root/.ssh/id_rsa.pub - - - - /state/root/ssh/id_rsa.pub"
      "L /root/.ssh/known_hosts - - - - /state/root/ssh/known_hosts"
      "L /etc/ssh/ssh_host_ed25519_key - - - - /state/ssh/ssh_host_ed25519_key"
      "L /etc/ssh/ssh_host_rsa_key - - - - /state/ssh/ssh_host_rsa_key"
    ];

    environment = {
      systemPackages = with pkgs; [
        nixopsUnstable
      ];
      etc = {
        nixos.source = "/state/nixos";
        adjtime.source = "/state/etc/adjtime";
        NIXOS.source = "/state/etc/NIXOS";
        "host-config.nix".source = "/state/etc/host-config.nix";
      };
    };

    system.stateVersion = "20.09";

    boot.initrd.postDeviceCommands = lib.mkAfter ''
      ${pkgs.zfs}/bin/zfs rollback -r zroot/transient/root@blank
    '';

    security.sudo.extraConfig = ''
      # rollback results in sudo lectures after each reboot
      Defaults lecture = never
    '';

    services = {
      openssh = {
        hostKeys = [
          {
            path = "/state/ssh/ssh_host_ed25519_key";
            type = "ed25519";
          }
          {
            path = "/state/ssh/ssh_host_rsa_key";
            type = "rsa";
            bits = 4096;
          }
        ];
      };
    };
  };
}