# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page, on
# https://search.nixos.org/options and in the NixOS manual (`nixos-help`).

{ config, ... }:

{
  imports = [
    ./hardware-configuration.nix
    ../../roles/zfs.nix
    ../../base.nix
    ../../users/root.nix
    ../../roles/fail2ban.nix
    ../../roles/tailscale.nix
    ../../roles/lldap.nix
    ../../roles/authelia.nix
    ../../roles/podman.nix
    ../../roles/minio.nix
    ../../roles/caddy.nix
    ../../roles/vscode-remote.nix
    ../../roles/postgres.nix
    ../../roles/syncthing.nix
    ./apps/dev.nix
    ./apps/nextcloud.nix
    ./apps/paperless.nix
    ./apps/searxng.nix
    ./apps/actual.nix
    ./apps/adguard.nix
    ./apps/audiobookshelf.nix
    ./apps/ollama.nix
    ./apps/open-webui.nix
  ];

  boot.loader.grub = {
    enable = true;
    zfsSupport = true;
    efiSupport = true;
    efiInstallAsRemovable = true;
    mirroredBoots = [
      {
        devices = [ "nodev" ];
        path = "/boot";
      }
    ];
  };

  networking = {
    hostName = "thewordnerd";
    hostId = "91312b0a";
    nat = {
      enable = true;
      internalInterfaces = [ "ve-+" ];
      externalInterface = "enp5s0";
      enableIPv6 = true;
    };
    useNetworkd = true;
  };

  services.openssh.openFirewall = false;

  time.timeZone = "America/Chicago";

  i18n.defaultLocale = "en_US.UTF-8";
  console.keyMap = "us";

  # Enable the Flakes feature and the accompanying new nix command-line tool
  nix.settings.experimental-features = [
    "nix-command"
    "flakes"
  ];

  age.secrets.cloudflareApi.file = ../../secrets/cloudflare_api.age;
  security.acme = {
    acceptTerms = true;
    defaults.email = "nolan@thewordnerd.info";
    certs."thewordnerd.info" = {
      dnsProvider = "cloudflare";
      environmentFile = config.age.secrets.cloudflareApi.path;
    };
  };

  age.secrets.ldap.file = ../../secrets/ldap.age;
  mailserver = {
    enable = true;
    fqdn = "thewordnerd.info";
    domains = [
      "thewordnerd.info"
      "lightsout.games"
    ];
    ldap = {
      enable = true;
      uris = [ "ldap://localhost:3890" ];
      bind = {
        dn = "uid=service,ou=people,dc=thewordnerd,dc=info";
        passwordFile = config.age.secrets.ldap.path;
      };
      searchBase = "ou=people,dc=thewordnerd,dc=info";
    };
    certificateScheme = "acme";
    enableManageSieve = true;
    indexDir = "/var/lib/dovecot/indices";
    fullTextSearch = {
      enable = true;
      # this only applies to plain text attachments, binary attachments are never indexed
      indexAttachments = true;
    };
  };

  services.fail2ban.jails = {
    dovecot.settings = {
      filter = "dovecot[mode=aggressive]";
    };
    postfix.settings = {
      filter = "postfix[mode=aggressive]";
    };
  };

  networking.firewall.allowedTCPPorts = [
    80
    443
  ];

  services.caddy.virtualHosts."thewordnerd.info".extraConfig =
    ''redir https://www.thewordnerd.info{uri}'';

  services.caddy.virtualHosts."www.thewordnerd.info".extraConfig = ''
    file_server                                                                                                  
    root * /var/www/thewordnerd.info                                                                             
    header /.well-known/matrix/* content-type application/json                                                   
  '';

  services.caddy.virtualHosts."staging.thewordnerd.info".extraConfig = ''
    file_server                                                                                                  
    root * /var/www/staging.thewordnerd.info                                                                             
    header /.well-known/matrix/* content-type application/json                                                   
  '';

  services.caddy.virtualHosts."users.thewordnerd.info".extraConfig =
    ''reverse_proxy localhost:17170'';

  services.caddy.virtualHosts."auth.thewordnerd.info".extraConfig = ''
    reverse_proxy localhost:9091
  '';

  services.caddy.virtualHosts."auth.tailc50184.ts.net".extraConfig = ''
    bind tailscale/auth
    reverse_proxy localhost:9091
  '';

  services.authelia.instances.main.settings.access_control.rules = [
    {
      domain = "syncthing.thewordnerd.info";
      policy = "one_factor";
    }
  ];

  services.caddy.virtualHosts."syncthing.thewordnerd.info".extraConfig = ''
    forward_auth localhost:9091 {
      uri /api/authz/forward-auth
    }
    reverse_proxy localhost:8384 {
      header_up Host {upstream_hostport}
    }
  '';

  # This option defines the first version of NixOS you have installed on this particular machine,
  # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.
  #
  # Most users should NEVER change this value after the initial install, for any reason,
  # even if you've upgraded your system to a new NixOS release.
  #
  # This value does NOT affect the Nixpkgs version your packages and OS are pulled from,
  # so changing it will NOT upgrade your system - see https://nixos.org/manual/nixos/stable/#sec-upgrading for how
  # to actually do that.
  #
  # This value being lower than the current NixOS release does NOT mean your system is
  # out of date, out of support, or vulnerable.
  #
  # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration,
  # and migrated your data accordingly.
  #
  # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion .
  system.stateVersion = "24.11"; # Did you read the comment?
}