{ config, lib, pkgs, ... }:

let
  shinobi-port = "7080";
  shinobi-od-port = "7082";
  state-dir = "/state"; # This must be a string!

  home-assistant-port = 8123;

  parent-config = config;

  generate-mac = pkgs.lib.network.generate-mac-address;

in {
  boot = {
    loader.grub.copyKernels = true;
    kernelModules = [ "rpcsec_gss_krb5" ];
  };

  networking = {
    interfaces = {
      enp3s0f0.useDHCP = false;
      enp3s0f1.useDHCP = false;
      enp4s0f0.useDHCP = false;
      enp4s0f1.useDHCP = false;

      intif0.useDHCP = true;
    };
  };

  systemd.tmpfiles.rules = [
    "L /root/.gnupg           - - - - ${state-dir}/user/root/gnupg"
    "L /root/.ssh/id_rsa      - - - - ${state-dir}/user/root/ssh/id_rsa"
    "L /root/.ssh/id_rsa.pub  - - - - ${state-dir}/user/root/ssh/id_rsa.pub"
    "L /root/.ssh/known_hosts - - - - ${state-dir}/user/root/ssh/known_hosts"
  ];

  services.openssh.hostKeys = [
    {
      path = "${state-dir}/ssh/ssh_host_rsa_key";
      type = "rsa";
      bits = 4096;
    }
    {
      path = "${state-dir}/ssh/ssh_host_ed25519_key";
      type = "ed25519";
      bits = 4096;
    }
  ];

  environment.etc = {
    "ssh/ssh_host_rsa_key" = {
      source = "${state-dir}/ssh/ssh_host_rsa_key";
      user = "root";
      group = "root";
      mode = "0400";
    };
    "ssh/ssh_host_rsa_key.pub" = {
      source = "${state-dir}/ssh/ssh_host_rsa_key.pub";
      user = "root";
      group = "root";
      mode = "0444";
    };
    "ssh/ssh_host_ed25519_key" = {
      source = "${state-dir}/ssh/ssh_host_ed25519_key";
      user = "root";
      group = "root";
      mode = "0400";
    };
    "ssh/ssh_host_ed25519_key.pub" = {
      source = "${state-dir}/ssh/ssh_host_ed25519_key.pub";
      user = "root";
      group = "root";
      mode = "0444";
    };
    nixos.source = "/etc/nixos-live";
    "host-config.nix".source = "/state/host/host-config.nix";
    adjtime.source = "/state/host/adjtime";
    NIXOS.source = "/state/host/NIXOS";
  };

  security.sudo.extraConfig = ''
    # Due to rollback, sudo will lecture after every reboot
    Defaults lecture = never
  '';

  services.nginx = {
    enable = true;
    recommendedOptimisation = true;
    recommendedProxySettings = true;
    recommendedGzipSettings = true;

    virtualHosts."home.sea.fudo.org" = {
      locations."/" = {
        proxyPass = "http://localhost:${toString home-assistant-port}";
        proxyWebsockets = true;
      };
    };
  };

  virtualisation = {
    docker = {
      enable = true;
      enableOnBoot = true;
      autoPrune = { enable = true; };
    };

    oci-containers = {
      backend = "docker";
      containers = {
        home-assistant = {
          image = "homeassistant/home-assistant:stable";
          autoStart = true;
          environment.TZ = config.time.timeZone;
          # ports = [ "${toString home-assistant-port}:8123" ];
          volumes = [ "/state/services/home-assistant:/config" ];
          extraOptions = [ "--network=host" "--device=/dev/ttyACM0" ];
        };

        # shinobi = {
        #   image = "shinobisystems/shinobi:latest";
        #   ports = [ "${shinobi-port}:8080" ];
        #   volumes = [
        #     "/state/shinobi/plugins:/home/Shinobi/plugins"
        #     "/state/shinobi/config:/home/Shinobi/config"
        #     "/state/shinobi/videos:/home/Shinobi/videos"
        #     "/state/shinobi/db-data:/var/lib/mysql"
        #     "/etc/localtime:/etc/localtime:ro"
        #   ];
        # };

        # shinobi-od = {
        #   image = "shinobisystems/shinobi-tensorflow:latest";
        #   volumes =
        #     [ "/srv/shinobi/od-config:/home/Shinobi/docker-plugins/tensorflow" ];
        #   ports = [ "${shinobi-od-port}:8082" ];
        #   environment = {
        #     PLUGIN_HOST = "panopticon.sea.fudo.org";
        #     PLUGIN_PORT = shinobi-port;
        #     PLUGIN_KEY = "30sWllylOxsDcE4vQXEPaXNfe5DiB3";
        #   };
        # };

        # photoprism = { image = "photoprism/photoprism"; };
      };
    };
  };
}