{ lib, config, inputs, pkgs, ... }:
let
  root_host = "grimmauld.de";

  # git add --intent-to-add email.txt ; git update-index --assume-unchanged email.txt
  root_email = (builtins.elemAt (lib.strings.match "[[:space:]]*([^[:space:]]+)[[:space:]]*" (builtins.readFile ./email.txt)) 0);

  puffer_port = 8080;
  puffer_sftp_port = 5657;
  puffer_host = "puffer.${root_host}";

  gitea_host = "git.${root_host}";
  gitea_port = 8081;
in {
  imports = [
    ./hardware-configuration.nix    
  ];

 services.gitea = {
    enable = true;
    settings = {
      service.DISABLE_REGISTRATION = true;
      server = {
        HTTP_PORT = gitea_port;
        DISABLE_SSH = true;
      };
#      log.LEVEL = "Debug";
    };
    lfs.enable = true;
  };

  age.secrets = {
    duckdns_token.file = ./secrets/duckdns_token.age;
  };

  users.users.grimmauld = {
    isNormalUser = true;
    description = "grimmauld";
    extraGroups = [ "wheel" "docker" ];
    shell = pkgs.xonsh;
    packages = with pkgs; [
      hyfetch
    ];
    openssh.authorizedKeys.keys = (import ./authorizedKeys.nix);
  };

  programs.xonsh.enable = true;
  environment.systemPackages = with pkgs; [
    wget
    tree
    vim
    git
    file
    git-lfs
    util-linux
    btop
    cached-nix-shell
    cloud-utils
    parted
    visualvm
    linuxPackages.perf
    lshw
    pciutils
    gitea
#    ffmpeg-full

    pufferpanel
    (writeShellScriptBin "pufferpanel-nix" "pufferpanel --workDir /var/lib/pufferpanel $@")
    pypy3
  ];

  systemd.services = {
    dynamic-dns-updater = {
      path = [
        pkgs.curl
      ];
      script = ''curl "https://www.duckdns.org/update?domains=grimmauld&token=$(<${config.age.secrets.duckdns_token.path})&ip="'';
      startAt = "hourly";
    };
  };

  security.acme = {
    acceptTerms = true;
    defaults.email = root_email;
    certs."${root_host}" = {
      webroot = "/var/lib/acme/acme-challenge/";
      extraDomainNames = [ puffer_host gitea_host];
    };
  };

  environment.sessionVariables = {
    NIXPKGS_ALLOW_UNFREE="1";
    OMP_NUM_THREADS = "4";
  };

  users.users.nginx.extraGroups = [ "acme" ];

  networking.firewall = {
    enable = true;
    allowedTCPPorts = [ 80 443 puffer_sftp_port 25565 ];
    allowPing = true;
    allowedUDPPortRanges = [
#      { from = 4000; to = 4007; }
    ];
  };
  
  services.pufferpanel = {
    enable = true;
    environment = {
      PUFFER_WEB_HOST = ":${builtins.toString puffer_port}";
      PUFFER_DAEMON_SFTP_HOST = ":${builtins.toString puffer_sftp_port}";
    };
    extraPackages = with pkgs; [ jdk17_headless ];
    extraGroups = [ "podman" "docker" ];
  };

  virtualisation.podman.enable = true;
  virtualisation.docker.enable = true;

  services.nginx.package = pkgs.nginxStable.override { openssl = pkgs.libressl; };
  services.nginx = {
    enable = true;
    recommendedGzipSettings = true;
    recommendedOptimisation = true;
    recommendedProxySettings = true;
    recommendedTlsSettings = true;


    sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";

    virtualHosts."${root_host}" = {
      forceSSL = true;
      useACMEHost = root_host;
      root = "/var/www/grimmauld.duckdns.org";
    };

    virtualHosts."${puffer_host}" = {
      serverName = puffer_host;
      forceSSL = true;
      useACMEHost = root_host;
      locations."/" = {
        proxyPass = "http://127.0.0.1:${builtins.toString puffer_port}";
      };
    };

    virtualHosts."${gitea_host}" = {
      serverName = gitea_host;
      forceSSL = true;
      useACMEHost = root_host;
      locations."/" = {
        proxyPass = "http://127.0.0.1:${builtins.toString gitea_port}";
      };
    };
  };

  nix.settings.experimental-features = [ "nix-command" "flakes" ];
  system.stateVersion = "unstable";
  nixpkgs.config.allowUnfree = true;

  boot.tmp.cleanOnBoot = true;
  zramSwap.enable = true;
  networking.hostName = "grimmauld-nixos-server";
  networking.domain = "";
  services.openssh.enable = true;
#  users.users.root.openssh.authorizedKeys.keys = (import ./authorizedKeys.nix);
}