{ config, lib, pkgs, ... }:

with lib;
let
  primary-ip = "10.0.0.21";
  deploy-group = "nixops-deploy";
  secrets-path = "/srv/secrets";

in {
  config = {
    users.groups = { ${deploy-group} = { members = [ "niten" ]; }; };

    systemd = let secrets-watcher-name = "secrets-ownership-fixer";
    in {
      paths.${secrets-watcher-name} = {
        description = "Watch ${secrets-path} and correct perms on change.";
        wantedBy = [ "multi-user.target" ];
        pathConfig = {
          PathChanged = secrets-path;
          Unit = "${secrets-watcher-name}.service";
        };
      };

      services.${secrets-watcher-name} = {
        wantedBy = [ "multi-user.target" ];
        description = "Correct perms on ${secrets-path}.";
        serviceConfig = {
          ExecStart = pkgs.writeShellScript "${secrets-watcher-name}.sh" ''
            chown -R root:${deploy-group} ${secrets-path}
            chmod -R ug=rX,o= ${secrets-path}
          '';
        };
      };

      tmpfiles.rules = [
        "L /root/.gnupg - - - - /state/root/gnupg"
        # "L /root/.emacs.d - - - - /state/root/emacs.d"
        "L /root/.ssh/id_rsa - - - - /state/root/ssh/id_rsa"
        "L /root/.ssh/id_rsa.pub - - - - /state/root/ssh/id_rsa.pub"
        "L /root/.ssh/known_hosts - - - - /state/root/ssh/known_hosts"
        "L /etc/ssh/ssh_host_ed25519_key - - - - /state/ssh/ssh_host_ed25519_key"
        "L /etc/ssh/ssh_host_rsa_key - - - - /state/ssh/ssh_host_rsa_key"
      ];
    };

    environment.etc = {
      nixos.source = "/state/nixos";
      adjtime.source = "/state/etc/adjtime";
      NIXOS.source = "/state/etc/NIXOS";
      machine-id.source = "/state/etc/machine-id";
      "host-config.nix".source = "/state/etc/host-config.nix";
      "krb5.keytab" = {
        source = "/state/etc/plato.keytab";
        user = "root";
        group = "root";
        mode = "0600";
      };
    };

    system.stateVersion = "20.09";

    boot.initrd.postDeviceCommands = lib.mkAfter ''
      ${pkgs.zfs}/bin/zfs rollback -r zroot/transient/root@blank
    '';

    security.sudo.extraConfig = ''
      # rollback results in sudo lectures after each reboot
      Defaults lecture = never
    '';

    networking = {
      defaultGateway = {
        address = "10.0.0.1";
        interface = "intif0";
      };

      interfaces = {
        intif0 = {
          useDHCP = false;
          ipv4.addresses = [{
            address = primary-ip;
            prefixLength = 22;
          }];
        };
      };
    };

    services = {
      openssh = {
        hostKeys = [
          {
            path = "/state/ssh/ssh_host_ed25519_key";
            type = "ed25519";
          }
          {
            path = "/state/ssh/ssh_host_rsa_key";
            type = "rsa";
            bits = 4096;
          }
        ];
      };
    };
  };
}