{ config, lib, pkgs, ... }:

with lib;
let
  # Available to all users on the system. Keep it minimal.
  global-packages = with pkgs; [ bind git openssh_gssapi vim wget ];

in {
  environment = {
    etc.current-nixos-config.source = ../../.;

    systemPackages = global-packages;

    shellInit = ''
      ${pkgs.gnupg}/bin/gpg-connect-agent /bye
      export SSH_AUTH_SOCK=$(${pkgs.gnupg}/bin/gpgconf --list-dirs agent-ssh-socket)
    '';
  };

  nixpkgs.config.allowUnfree = true;
  security.acme.acceptTerms = true;

  system.autoUpgrade.enable = true;

  services = {
    openssh = {
      enable = true;
      startWhenNeeded = true;
      useDns = true;
      permitRootLogin = "prohibit-password";
      extraConfig = ''
        GSSAPIAuthentication yes
        GSSAPICleanupCredentials yes
      '';
      # FIXME: add all the hosts we know about
      knownHosts = {
        # publicKey, hostNames
      };
    };

    fail2ban.enable = true;

    xserver = {
      layout = "us";
      xkbVariant = "dvp";
      xkbOptions = "ctrl:nocaps";
    };

    # pcscd.enable = true;
    # udev.packages = with pkgs; [ yubikey-personalization ];
  };

  console.useXkbConfig = true;

  i18n.defaultLocale = "en_US.UTF-8";

  programs = {
    mosh.enable = true;

    bash.enableCompletion = true;

    fish.enable = true;

    gnupg.agent = {
      enable = true;
      enableSSHSupport = true;
      # pinentryFlavor = if cfg.enable-gui then "gnome3" else "curses";
    };

    ssh = {
      # Use GPG agent instead
      startAgent = false;

      package = pkgs.openssh_gssapi;

      extraConfig = ''
        GSSAPIAuthentication yes
        GSSAPIDelegateCredentials yes
      '';
    };
  };

  security.pam = {
    enableSSHAgentAuth = true;

    services = {
      sshd = {
        makeHomeDir = true;
        sshAgentAuth = true;
        # This isn't supposed to ask for a code unless ~/.google_authenticator exists...but it does
        # googleAuthenticator.enable = true;
      };
    };
  };

  services.dbus.socketActivated = true;
}