{ config, lib, pkgs, ... }:

with pkgs.lib;
let
  hostname = "nostromo";

  domainName = config.fudo.hosts."${hostname}".domain;

  domain = config.fudo.domains."${domainName}";

  host-fqdn = pkgs.lib.getHostFqdn hostname;

in {

  networking = {
    interfaces = {
      eno1.useDHCP = false;
      eno2.useDHCP = false;
      eno3.useDHCP = false;
      eno4.useDHCP = false;
      enp33s0f0.useDHCP = false;
      enp33s0f1.useDHCP = false;
      enp9s0f0.useDHCP = false;
      enp9s0f1.useDHCP = false;

      intif0 = { useDHCP = true; };
    };

    firewall.enable = false;
  };

  environment.systemPackages = [ pkgs.kdcConvertDatabase ];

  # Hopefully this'll help with NFS...
  boot.kernelModules = [ "rpcsec_gss_krb5" ];

  services = {
    murmur = {
      enable = true;
      port = 64738;
      bonjour = true;
    };

    nfs = {
      # See ../user-config.nix for the user@REALM -> user mapping
      server = {
        enable = true;
        createMountPoints = false;
        exports = let
          exportList = [
            "/export/documents 10.0.0.0/24(rw,sync,no_root_squash,no_subtree_check,fsid=10,sec=krb5p)"
            "/export/downloads 10.0.0.0/24(rw,sync,no_root_squash,no_subtree_check,fsid=11,sec=krb5i)"
            "/export/projects  10.0.0.0/24(rw,sync,no_root_squash,no_subtree_check,fsid=12,sec=krb5p)"
          ];
        in ''
          ${concatStringsSep "\n" exportList}
        '';
      };
    };

    authentikContainer.state-directory = "/state/services/authentik";
  };

  systemd = {
    tmpfiles.rules = [ "d /state/services 0755 root root - -" ];

    services = {
      nfs-server = {
        # Don't start on boot
        wantedBy = mkForce [ "sea-store.target" ];
        # Only start after filesystem mounts are available
        after = [
          "export-documents.mount"
          "export-downloads.mount"
          "export-projects.mount"
        ];
      };

      grafana = {
        requires = [ "postgresql.service" ];
        bindsTo = [ "postgresql.service" ];
      };
    };
  };

  fudo = let
    grafana-database-passwd-file = pkgs.lib.passwd.stablerandom-passwd-file
      "grafana-database-nostromo-password"
      "grafana-database-nostromo-password-${config.instance.build-seed}";

    host-secrets = config.fudo.secrets.host-secrets.${hostname};
  in {
    secrets.host-secrets.${hostname} = {
      # grafana-database-password = {
      #   source-file = grafana-database-passwd-file;
      #   target-file = "/run/services/grafana/db.passwd";
      #   user = config.systemd.services.grafana.serviceConfig.User;
      # };
      # postgres-grafana-password = {
      #   source-file = grafana-database-passwd-file;
      #   target-file = "/run/services/postgres/db.passwd";
      #   user = config.services.postgresql.superUser;
      # };
      pricebot-auth-token = {
        source-file =
          config.fudo.secrets.files.service-secrets.nostromo."pricebot-auth.token";
        target-file = "/run/services/pricebot/auth.token";
        user = "root";
      };
    };

    pricebot = {
      enable = true;
      mattermost-url = "https://chat.fudo.org";
      mattermost-auth-token-file = host-secrets.pricebot-auth-token.target-file;
      monitors = {
        btc = {
          mattermost-channel-id = "f7iem9t3qbbczjyuq4waj1s3ua";
          notify-user = "niten";
        };
      };
    };

    services = {
      logging.loki.state-directory = "/state/services/loki";

      metrics.grafana = {
        state-directory = "/state/services/grafana";
        smtp.hostname = "mail.fudo.org";
        # database = {
        #   user = "grafana";
        #   password-file = host-secrets.grafana-database-password.target-file;
        # };
        ldap.base-dn = "dc=fudo,dc=org";
      };

      postgresql = {
        state-directory = "/state/services/postgresql";
        keytab = extractFudoKeytab {
          realm = domain.gssapi-realm;
          principals = [ "postgres/${host-fqdn}" ];
        };
      };

      auth.kerberos.state-directory = "/state/services/heimdal-kdc";
    };

    postgresql = {
      enable = true;
      local-networks = config.instance.local-networks;
      state-directory = "/state/services/postgresql";

      databases.grafana.users = config.instance.local-admins;

      # users.grafana = {
      #   password-file = host-secrets.postgres-grafana-password.target-file;
      #   databases.grafana = {
      #     entity-access = {
      #       "ALL TABLES IN SCHEMA public" = "ALL PRIVILEGES";
      #       "ALL SEQUENCES IN SCHEMA public" = "ALL PRIVILEGES";
      #     };
      #   };
      # };
    };
  };

  virtualisation = {
    docker.enable = false;
    podman = {
      enable = true;
      dockerSocket.enable = true;
      autoPrune.enable = true;
    };
    arion.backend = "podman-socket";
  };

  imports = [ ./nostromo/factorio.nix ./nostromo/minecraft.nix ];

  ## Until I can figure out how to use one common host API, forget this
  # fudo.ipfs = {
  #   enable = true;
  #   users = [ "niten" ];
  #   api-address = "/ip4/0.0.0.0/tcp/5001";
  # };
}