{ config, lib, pkgs, ... }:

with pkgs.lib;
let
  hostname = "nostromo";

  domainName = config.fudo.hosts."${hostname}".domain;

  domain = config.fudo.domains."${domainName}";

  host-fqdn = pkgs.lib.getHostFqdn hostname;

in {

  networking = {
    interfaces = {
      eno1.useDHCP = false;
      eno2.useDHCP = false;
      eno3.useDHCP = false;
      eno4.useDHCP = false;
      enp33s0f0.useDHCP = false;
      enp33s0f1.useDHCP = false;
      enp9s0f0.useDHCP = false;
      enp9s0f1.useDHCP = false;

      intif0 = { useDHCP = true; };
    };

    firewall.enable = false;
  };

  environment.systemPackages = [ pkgs.kdcConvertDatabase ];

  # Hopefully this'll help with NFS...
  boot.kernelModules = [ "rpcsec_gss_krb5" ];

  services = {
    murmur = {
      enable = true;
      port = 64738;
      bonjour = true;
    };

    nfs = {
      # See ../user-config.nix for the user@REALM -> user mapping
      server = {
        enable = true;
        createMountPoints = false;
        exports = let
          exportList = [
            "/export/documents 10.0.0.0/24(rw,sync,no_root_squash,no_subtree_check,fsid=10,sec=krb5p)"
            "/export/downloads 10.0.0.0/24(rw,sync,no_root_squash,no_subtree_check,fsid=11,sec=krb5i)"
            "/export/projects  10.0.0.0/24(rw,sync,no_root_squash,no_subtree_check,fsid=12,sec=krb5p)"
          ];
        in ''
          ${concatStringsSep "\n" exportList}
        '';
      };
    };

    authentikContainer.state-directory = "/state/services/authentik";
  };

  systemd = {
    tmpfiles.rules = [ "d /state/services 0755 root root - -" ];

    services = {
      nfs-server = {
        # Don't start on boot
        wantedBy = mkForce [ "sea-store.target" ];
        # Only start after filesystem mounts are available
        after = [
          "export-documents.mount"
          "export-downloads.mount"
          "export-projects.mount"
        ];
      };
    };
  };

  fudo = let host-secrets = config.fudo.secrets.host-secrets."${hostname}";
  in {
    secrets.host-secrets.${hostname} = {
      pricebot-auth-token = {
        source-file =
          config.fudo.secrets.files.service-secrets.nostromo."pricebot-auth.token";
        target-file = "/run/services/pricebot/auth.token";
        user = "root";
      };
    };

    pricebot = {
      enable = true;
      mattermost-url = "https://chat.fudo.org";
      mattermost-auth-token-file = host-secrets.pricebot-auth-token.target-file;
      monitors = {
        btc = {
          mattermost-channel-id = "f7iem9t3qbbczjyuq4waj1s3ua";
          notify-user = "niten";
        };
      };
    };

    services = {
      logging.loki.state-directory = "/state/services/loki";

      metrics.grafana = {
        state-directory = "/state/services/grafana";
        smtp.hostname = "mail.fudo.org";
      };

      postgresql = {
        state-directory = "/state/services/postgresql";
        keytab = extractFudoKeytab {
          realm = domain.gssapi-realm;
          principals = [ "postgres/${host-fqdn}" ];
        };
      };

      auth.kerberos.state-directory = "/state/services/heimdal-kdc";
    };

    postgresql = {
      enable = true;
      local-networks = config.instance.local-networks;
      state-directory = "/state/services/postgresql";
    };
  };

  virtualisation = {
    docker.enable = false;
    podman = {
      enable = true;
      dockerSocket.enable = true;
      autoPrune.enable = true;
    };
    arion.backend = "podman-socket";
  };

  imports = [ ./nostromo/factorio.nix ./nostromo/minecraft.nix ];

  ## Until I can figure out how to use one common host API, forget this
  # fudo.ipfs = {
  #   enable = true;
  #   users = [ "niten" ];
  #   api-address = "/ip4/0.0.0.0/tcp/5001";
  # };
}