{ config, lib, pkgs, ... }:

with lib;
let
  primary-ip = "10.0.0.1";

  host-config = config.fudo.hosts.${config.instance.hostname};
  site-name = host-config.site;
  site = config.fudo.sites.${site-name};
  domain-name = host-config.domain;
  domain = config.fudo.domains.${domain-name};

  # dns-proxy-port = 5335;

in {
  config = {
    networking = {
      interfaces = {
        enp1s0 = { useDHCP = true; };

        intif0 = {
          useDHCP = false;
          ipv4 = {
            addresses = [{
              address = primary-ip;
              prefixLength = 16;
            }];
            routes = [{
              address = "192.168.86.0";
              prefixLength = 24;
              via = "10.0.0.3";
            }];
          };
        };
        intif1 = { useDHCP = false; };
        intif2 = { useDHCP = false; };
      };

      enableIPv6 = false;

      # nameservers = [ "10.0.0.1" ];

      # FIXME: this should be automatic
      # firewall.trustedInterfaces =
      #   [ "intif0" "intif1" "intif2" "lo" "docker0" ];

      # nat = {
      #   enable = true;
      #   externalInterface = "enp1s0";
      #   internalInterfaces = [ "intif0" "intif1" "intif2" ];
      # };
    };

    fudo = {
      hosts.limina.external-interfaces = [ "enp1s0" ];

      client.dns.external-interface = "enp1s0";

      garbage-collector = {
        enable = true;
        timing = "weekly";
      };

      services = {
        local-network = {
          enable = true;
          internal-interfaces = [ "intif0" "intif1" "intif2" ];
          external-interface = "enp1s0";
          dns-filter-proxy.enable = true;
        };

        metrics = {
          prometheus.state-directory = "/state/services/prometheus";
        };

        # wireguard-gateway = {
        #   enable = true;
        #   network = "10.0.200.0/24";
        #   peers = {
        #     niten-phone = {
        #       public-key = "";
        #       assigned-ip = "10.0.200.2";
        #     };
        #   };
        # };
      };
    };

    # Support for statelessness
    environment.etc = {
      NIXOS.source = "/state/etc/NIXOS";
      "host-config.nix".source = "/state/etc/host-config.nix";
    };

    systemd.tmpfiles.rules = [
      "L /etc/adjtime - - - - /state/etc/adjtime"
      "L /root/.gnupg - - - - /state/root/gnupg"
      "L /root/.ssh/id_rsa - - - - /state/root/ssh/id_rsa"
      "L /root/.ssh/id_rsa.pub - - - - /state/root/ssh/id_rsa.pub"
      "L /root/.ssh/known_hosts - - - - /state/root/ssh/known_hosts"
    ];

    security.acme.email = "niten@fudo.org";

    networking.firewall.allowedTCPPorts = [ 80 443 ];

    systemd.services.nginx.requires = [ "bind.service" ];

    services = {
      nginx = {
        enable = true;
        recommendedGzipSettings = true;
        recommendedOptimisation = true;
        recommendedProxySettings = true;

        virtualHosts = {
          "sea-home.fudo.link" = {
            enableACME = true;
            forceSSL = true;
            locations."/" = {
              proxyPass = "http://home-assist.sea.fudo.org/";
              extraConfig = ''
                proxy_http_version 1.1;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection "Upgrade";
              '';
            };
          };
        };
      };

      openssh = {
        hostKeys = [
          {
            path = "/state/ssh/ssh_host_ed25519_key";
            type = "ed25519";
          }
          {
            path = "/state/ssh/ssh_host_rsa_key";
            type = "rsa";
            bits = 4096;
          }
        ];
      };
    };
  };
}