{ config, lib, pkgs, ... }:

with lib;
let
  hostname = config.instance.hostname;

  # Available to all users on the system. Keep it minimal.
  global-packages = with pkgs; [
    bind
    cryptsetup
    git
    heimdal
    mosh
    openssh_gssapi
    tldr
    vim
    wget
  ];

  import-paths = [ ./build ./host ./user ];

in {

  imports = let
    is-regular-file = filename: type: type == "regular" || type == "link";
    regular-files = path:
      attrNames (filterAttrs is-regular-file (builtins.readDir path));
    is-nix-file = filename: (builtins.match "^(.+).nix$" filename) != null;
    nix-files = path:
      map (file: path + "/${file}") (filter is-nix-file (regular-files path));
  in concatMap nix-files import-paths;

  config = {
    fudo = { hosts."${hostname}".local-networks = [ "::1/128" ]; };

    system.autoUpgrade.enable = false;

    nix = {
      package = pkgs.nixFlakes;
      extraOptions = ''
        experimental-features = nix-command flakes
      '';
      gc = {
        automatic = true;
        dates = "weekly";
        options = "--delete-older-than 7d";
      };
    };

    nixpkgs.config.allowUnfree = true;

    hardware.enableAllFirmware = true;

    services = {
      openssh = {
        enable = true;
        startWhenNeeded = true;
        settings = {
          UseDns = true;
          PermitRootLogin = "prohibit-password";
          # extraConfig = ''
          #   GSSAPIAuthentication yes
          #   GSSAPICleanupCredentials yes
          #   GSSAPIKeyExchange yes
          #   GSSAPIStoreCredentialsOnRekey yes
          # '';
          # FIXME: This is temporary! Getting error: Unsupported KEX algorithm "sntrup761x25519-sha512@openssh.com"
          # kexAlgorithms = [
          #   "curve25519-sha256"
          #   "curve25519-sha256@libssh.org"
          #   "diffie-hellman-group-exchange-sha256"
          # ];
        };
      };

      fail2ban =
        let domain-name = config.fudo.hosts.${config.instance.hostname}.domain;
        in {
          enable = config.networking.firewall.enable;
          bantime-increment.enable = true;
        };

      xserver = {
        layout = "us";
        xkbVariant = "dvp";
        xkbOptions = "ctrl:nocaps";
      };

      btrfs.autoScrub.enable = let
        btrfsFilesystems = filter (fsOpts: fsOpts.fsType == "btrfs")
          (attrValues config.fileSystems);
      in length btrfsFilesystems > 0;

      pcscd.enable = true;
      udev = {
        enable = true;
        packages = with pkgs; [ yubikey-personalization ];
      };
    };

    networking.firewall = {
      # Allow mosh connections if the firewall is enabled
      allowedUDPPortRanges = [{
        from = 60000;
        to = 60100;
      }];
    };

    console.useXkbConfig = true;

    i18n.defaultLocale = "en_US.UTF-8";

    programs = {
      mosh.enable = true;

      bash.enableCompletion = true;

      fish.enable = true;

      gnupg.agent = {
        enable = true;
        # enableSSHSupport = true;
        # pinentryFlavor = if cfg.enable-gui then "gnome3" else "curses";
      };

      ssh = { startAgent = true; };
    };

    security = {

      acme.acceptTerms = true;
      sudo.extraConfig = ''
        # rollback results in sudo lectures after each reboot
        Defaults lecture = never
      '';

      pam = {
        enableSSHAgentAuth = true;

        services = {
          sshd = {
            makeHomeDir = true;
            sshAgentAuth = true;
            # This isn't supposed to ask for a code unless ~/.google_authenticator exists...but it does
            # googleAuthenticator.enable = true;
          };
        };

        # yubikey = {
        #   enable = true;
        #   debug = true;
        #   mode = "challenge-response";
        # };
      };
    };
  };
}