{ lib, config, inputs, pkgs, ... }:
let
  root_host = "grimmauld.de";
in {
  imports = [
    ./hardware-configuration.nix    
  ];

  boot.kernelPackages = pkgs.linuxPackages_latest;
  services.logrotate.checkConfig = false; # needed or this explodes

  time.timeZone = "Europe/Berlin";
  # Select internationalisation properties.
  i18n.defaultLocale = "en_US.UTF-8";

  i18n.extraLocaleSettings = {
    LC_ADDRESS = "de_DE.UTF-8";
    LC_IDENTIFICATION = "de_DE.UTF-8";
    LC_MEASUREMENT = "de_DE.UTF-8";
    LC_MONETARY = "de_DE.UTF-8";
    LC_NAME = "de_DE.UTF-8";
    LC_NUMERIC = "de_DE.UTF-8";
    LC_PAPER = "de_DE.UTF-8";
    LC_TELEPHONE = "de_DE.UTF-8";
    LC_TIME = "de_DE.UTF-8";
  };

  users.users.grimmauld = {
    isNormalUser = true;
    description = "grimmauld";
    extraGroups = [ "wheel" "docker" ];
    shell = pkgs.xonsh;
    packages = with pkgs; [
      hyfetch
    ];
    openssh.authorizedKeys.keys = (import ./authorizedKeys.nix);
  };

  programs.xonsh.enable = true;
  environment.systemPackages = with pkgs; [
    wget
    vulnix
    tree
    git
    file
    git-lfs
    util-linux
    btop
    mkpasswd
    linuxPackages.perf
    gitea
    matrix-synapse-tools.synadm
    matrix-synapse

    pufferpanel
    (writeShellScriptBin "pufferpanel-nix" "pufferpanel --workDir /var/lib/pufferpanel $@")
    (writeShellScriptBin "nix-referrers" "nix-store --query --referrers $@")
    (writeShellScriptBin "silent-add" "git add --intent-to-add $@ ; git update-index --assume-unchanged $@")
  ];

  environment.sessionVariables = {
    NIXPKGS_ALLOW_UNFREE="1";
    OMP_NUM_THREADS = "8";
  };

  networking.firewall = {
    enable = true;
    allowedTCPPorts = [ 80 443 ];
    allowPing = true;
    allowedUDPPortRanges = [];
  };
  
#  services.nginx.package = pkgs.nginxStable.override { openssl = pkgs.libressl; };
  services.nginx = {
    enable = true;
    recommendedGzipSettings = true;
    recommendedOptimisation = true;
    recommendedProxySettings = true;
    recommendedTlsSettings = true;
    sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";

    virtualHosts."${root_host}" = {
      forceSSL = true;
      enableACME = lib.mkForce false; # use the correct cert, not some weird one that matrix-synapse module supplies
      useACMEHost = root_host;
      locations."/" = {
          root = "/var/www/${root_host}"; 
      };
    };
  };

  nix.settings.experimental-features = [ "nix-command" "flakes" ];
  nixpkgs.config.allowUnfree = true;

  boot.tmp.cleanOnBoot = true;
  system.stateVersion = "unstable";
  zramSwap.enable = true;
  networking.hostName = "grimmauld-nixos-server";
  networking.domain = "";
  services.openssh.enable = true;
#  users.users.root.openssh.authorizedKeys.keys = (import ./authorizedKeys.nix);
}