{ config, lib, pkgs, ... }:

with lib;
let
  primary-ip = "10.0.0.1";

  host-config = config.fudo.hosts.${config.instance.hostname};
  site-name = host-config.site;
  site = config.fudo.sites.${site-name};
  domain-name = host-config.domain;
  domain = config.fudo.domains.${domain-name};

  # dns-proxy-port = 5335;

in {
  config = {
    networking = {
      interfaces = {
        enp1s0 = { useDHCP = true; };

        intif0 = {
          useDHCP = false;
          ipv4.addresses = [{
            address = primary-ip;
            prefixLength = 16;
          }];
        };
        intif1 = { useDHCP = false; };
        intif2 = { useDHCP = false; };
      };

      enableIPv6 = false;

      # nameservers = [ "10.0.0.1" ];

      # FIXME: this should be automatic
      # firewall.trustedInterfaces =
      #   [ "intif0" "intif1" "intif2" "lo" "docker0" ];

      # nat = {
      #   enable = true;
      #   externalInterface = "enp1s0";
      #   internalInterfaces = [ "intif0" "intif1" "intif2" ];
      # };
    };

    fudo = {
      hosts.limina.external-interfaces = [ "enp1s0" ];

      client.dns.external-interface = "enp1s0";

      garbage-collector = {
        enable = true;
        timing = "weekly";
      };

      services = {
        local-network = {
          enable = true;
          internal-interfaces = [ "intif0" "intif1" "intif2" ];
          external-interface = "enp1s0";
          dns-filter-proxy.enable = true;
        };

        metrics = {
          prometheus.state-directory = "/state/services/prometheus";
        };

        # wireguard-gateway = {
        #   enable = true;
        #   network = "10.0.200.0/24";
        #   peers = {
        #     niten-phone = {
        #       public-key = "";
        #       assigned-ip = "10.0.200.2";
        #     };
        #   };
        # };
      };
    };

    # virtualisation = {
    #   docker = {
    #     enable = true;
    #     autoPrune.enable = true;
    #     enableOnBoot = true;
    #   };

    #   oci-containers = {
    #     backend = "docker";
    #     containers = {
    #       pihole = {
    #         image = "pihole/pihole:2021.10";
    #         autoStart = true;
    #         ports = [ "5353:53/tcp" "5353:53/udp" "3080:80/tcp" ];
    #         environment = {
    #           # ServerIP = primary-ip;
    #           VIRTUAL_HOST = "dns-hole.sea.fudo.org";
    #           DNS1 = "${primary-ip}#${toString dns-proxy-port}";
    #         };
    #         volumes = [
    #           "/state/pihole/etc-pihole/:/etc/pihole/"
    #           "/state/pihole/etc-dnsmasq.d/:/etc/dnsmasq.d/"
    #         ];
    #       };
    #     };
    #   };
    # };

    # Support for statelessness
    environment.etc = {
      # TODO: replace with current config
      # nixos.source = "/state/nixos";
      NIXOS.source = "/state/etc/NIXOS";
      "host-config.nix".source = "/state/etc/host-config.nix";
    };

    systemd.tmpfiles.rules = [
      "L /etc/adjtime - - - - /state/etc/adjtime"
      "L /root/.gnupg - - - - /state/root/gnupg"
      "L /root/.ssh/id_rsa - - - - /state/root/ssh/id_rsa"
      "L /root/.ssh/id_rsa.pub - - - - /state/root/ssh/id_rsa.pub"
      "L /root/.ssh/known_hosts - - - - /state/root/ssh/known_hosts"
    ];

    # security.acme.certs."sea-camera.fudo.link".email = "niten@fudo.org";

    networking.firewall.allowedTCPPorts = [ 80 443 ];

    systemd.services.nginx.requires = [ "bind.service" ];

    services = {
      # nginx = {
      #   enable = true;
      #   recommendedGzipSettings = true;
      #   recommendedOptimisation = true;
      #   recommendedProxySettings = true;

      #   virtualHosts = {
      #     "dns-hole.${domain-name}" = {
      #       serverAliases = [
      #         "pi-hole.${domain-name}"
      #         "pihole.${domain-name}"
      #         "hole.${domain-name}"
      #         "pi-hole"
      #         "pihole"
      #         "dns-hole"
      #         "hole"
      #       ];

      #       locations."/" = { proxyPass = "http://127.0.0.1:3080"; };
      #     };

      #     ## This keeps failing, too many requests...give it a rest for now
      #     # "sea-camera.fudo.link" = {
      #     #   enableACME = true;
      #     #   forceSSL = true;

      #     #   locations."/" = {
      #     #     # proxyPass = "http://cargo.sea.fudo.org:5000/webman/3rdparty/SurveillanceStation/";
      #     #     proxyPass = "http://cargo.sea.fudo.org:5000/";

      #     #     extraConfig = ''
      #     #       proxy_http_version 1.1;
      #     #       proxy_set_header Upgrade $http_upgrade;
      #     #       proxy_set_header Connection "Upgrade";

      #     #       proxy_set_header Host $host;
      #     #       # proxy_set_header X-Real-IP $remote_addr;
      #     #       # proxy_set_header X-Forwarded-By $server_addr:$server_port;
      #     #       # proxy_set_header X-Forwarded-For $remote_addr;
      #     #       # proxy_set_header X-Forwarded-Proto $scheme;
      #     #     '';
      #     #   };
      #     # };

      #     # "sea-camera-od.fudo.link" = {
      #     #   enableACME = true;
      #     #   forceSSL = true;

      #     #   locations."/" = {
      #     #     proxyPass = "http://panopticon-od.sea.fudo.org";

      #     #     extraConfig = ''
      #     #       proxy_http_version 1.1;
      #     #       proxy_set_header Upgrade $http_upgrade;
      #     #       proxy_set_header Connection "Upgrade";

      #     #       proxy_set_header Host $host;
      #     #       proxy_set_header X-Real-IP $remote_addr;
      #     #       proxy_set_header X-Forwarded-By $server_addr:$server_port;
      #     #       proxy_set_header X-Forwarded-For $remote_addr;
      #     #       proxy_set_header X-Forwarded-Proto $scheme;
      #     #     '';
      #     #   };
      #     # };
      #   };
      # };

      openssh = {
        hostKeys = [
          {
            path = "/state/ssh/ssh_host_ed25519_key";
            type = "ed25519";
          }
          {
            path = "/state/ssh/ssh_host_rsa_key";
            type = "rsa";
            bits = 4096;
          }
        ];
      };
    };
  };
}