{ inputs, config, ... }:
let
  sshKeys = import ../ssh_keys.nix;
  peers = import ../modules/malobeo/peers.nix;
in
{
  sops.defaultSopsFile = ./secrets.yaml;
  sops.secrets.wg_private = {};
  sops.secrets.shop_auth = {};

  imports =
    [ # Include the results of the hardware scan.
      #./hardware-configuration.nix
      ../modules/sshd.nix
      ../modules/minimal_tools.nix
      ../modules/autoupdate.nix
      inputs.self.nixosModules.malobeo.vpn
      inputs.self.nixosModules.malobeo.initssh
      inputs.self.nixosModules.malobeo.disko
      inputs.self.nixosModules.malobeo.microvm
      inputs.self.nixosModules.malobeo.metrics
      inputs.self.nixosModules.malobeo.users
      inputs.self.nixosModules.malobeo.backup
    ];

    virtualisation.vmVariantWithDisko = {
      virtualisation = {
        memorySize =  4096; 
        cores = 3;
      };
    };

  malobeo.metrics = {
    enable = true;
    enablePromtail = true;
    logNginx = true;
    lokiHost = "10.0.0.14";
  };

  malobeo.autoUpdate = {
    enable = true;
    url = "https://hydra.dynamicdiscord.de";
    project = "malobeo";
    jobset = "infrastructure";
    cacheurl = "https://cache.dynamicdiscord.de";
  };

  malobeo.backup = {
    enable = true;
    snapshots = [ "storage/encrypted" "zroot/encrypted/var" ];
  };

  nix = {
    settings.experimental-features = [ "nix-command" "flakes" ];
    #always update microvms
    extraOptions = ''
      tarball-ttl = 0
    '';
  };

  malobeo.users = {
    malobeo = true;
    admin = true;
    backup = true;
  };

  malobeo.disks = {
    enable = true;
    hostId = "a3c3101f";
    root = {
      disk0 = "disk/by-id/ata-SAMSUNG_MZ7LN256HCHP-000L7_S20HNAAH200381";
    };
    storage = {
      enable = true;
      disks = ["disk/by-id/wwn-0x50014ee265b53b60" "disk/by-id/wwn-0x50014ee2bb0a194a"];
      mirror = true;
    };
  };

  systemd.tmpfiles.rules = [ 
    "L /var/lib/microvms/data - - - - /data/microvms"
    "d /data/microvms 0755 root root" #not needed for real host?
    ];

  malobeo.initssh = {
    enable = true;
    authorizedKeys = sshKeys.admins;
    ethernetDrivers = ["r8169"];
    zfsExtraPools = [ "storage" ];
  };

  boot.initrd = {
    availableKernelModules = [ "wireguard" ];
    postMountCommands = ''
      ip address flush dev wg-initrd
      ip link set dev wg-initrd down
    '';
    systemd = {
      enable = true;
      network = {
        enable = true;
        netdevs."30-wg-initrd" = {
          netdevConfig = {
            Kind = "wireguard";
            Name = "wg-initrd";
          };
          wireguardConfig = { PrivateKeyFile = "/etc/secrets/30-wg-initrd.key"; };
          wireguardPeers = [{
            AllowedIPs = peers.vpn.allowedIPs;
            PublicKey = peers.vpn.publicKey;
            Endpoint = "${peers.vpn.publicIp}:${builtins.toString(peers.vpn.listenPort)}";
            PersistentKeepalive = 25;
          }];
        };
        networks."30-wg-initrd" = {
          name = "wg-initrd";
          addresses = [{ Address = "${peers.fanny-initrd.address}/24"; }];
        };
      };
    };
  };

  boot.initrd.secrets."/etc/secrets/30-wg-initrd.key" = "/etc/wireguard/wg.private";

  services.malobeo.vpn = {
    enable = true;
    name = "fanny";
    privateKeyFile = config.sops.secrets.wg_private.path;
  };

  services.malobeo.microvm.enableHostBridge = true;
  services.malobeo.microvm.deployHosts = [ 
    "overwatch" 
    "infradocs" 
    "nextcloud" 
    "durruti" 
    "zineshop"
  ];

  networking = {
    nat = {
      enable = true;
      externalInterface = "enp1s0";
      internalInterfaces = [ "microvm" ];
    };

    firewall = {
      allowedTCPPorts = [ 80 ];
    };
  };

  services.nginx = {
    enable = true;
    virtualHosts."docs.malobeo.org" = {
      locations."/" = {
        proxyPass = "http://10.0.0.11:9000";
        extraConfig = ''
          proxy_set_header Host $host;
        '';
      };
    };

    virtualHosts."cloud.malobeo.org" = {
      locations."/" = {
        proxyPass = "http://10.0.0.13";
        extraConfig = ''
          proxy_set_header Host $host;
          client_max_body_size 10G;
        '';
      };
    };

    virtualHosts."grafana.malobeo.org" = {
      locations."/" = {
        proxyPass = "http://10.0.0.14";
        extraConfig = ''
          proxy_set_header Host $host;
        '';
      };
    };

    virtualHosts."tasklist.malobeo.org" = {
      locations."/" = {
        proxyPass = "http://10.0.0.5:8080";
        extraConfig = ''
          proxy_set_header Host $host;
        '';
      };
    };

    virtualHosts."zines.malobeo.org" = {
      # created with: nix-shell --packages apacheHttpd --run 'htpasswd -B -c foo.txt malobeo'
      # then content of foo.txt put into sops
      # basicAuthFile = config.sops.secrets.shop_auth.path;
      locations."/" = {
        proxyPass = "http://10.0.0.15:8080";
        extraConfig = ''
          proxy_set_header Host $host;

          client_body_in_file_only clean;
          client_body_buffer_size 32K;
          
          client_max_body_size 50M;
          
          sendfile on;
          send_timeout 300s;
        '';
      };
    };
  };

  services.tor = {
    enable = true;
    client.enable = true;
  };

  # needed for printing drivers
  nixpkgs.config.allowUnfree = true; 

  services.acpid.enable = true;

  networking.hostName = "fanny";
  networking.networkmanager.enable = true;

  virtualisation.vmVariant.virtualisation.graphics = false;

  time.timeZone = "Europe/Berlin";
  system.stateVersion = "23.05"; # Do.. Not.. Change..

  sops.secrets.shop_auth = {
    owner = config.services.nginx.user;
    group = config.services.nginx.group;
  };
}