# hosts/valefar/configuration.nix (or default.nix)
{ config, lib, pkgs, modulesPath, microvm, inputs, ... }:
{
  # =============================================================================
  # IMPORTS
  # =============================================================================
  imports = [
    # Host-specific hardware
    ./hardware.nix
    ./secrets.nix
    ../../common/nvidia.nix

    # Common secrets
    ../../host-secrets.nix
    
    # Common modules shared across hosts
    ../../common/system.nix
    ../../common/users.nix
    ../../common/services.nix
    ../../common/efi.nix
    
    # Hardware-specific (commented out)
    # ../../common/nvidia.nix
  ];

  # =============================================================================
  # SYSTEM CONFIGURATION
  # =============================================================================
  system.stateVersion = "24.11";
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
  
  # Intel microcode updates
  hardware.cpu.intel.updateMicrocode = lib.mkDefault
    config.hardware.enableRedistributableFirmware;

  # =============================================================================
  # CUSTOM MODULES
  # =============================================================================
  modules.garage.enable = true;
  modules.forgejo.enable = true;
  modules.immich.enable = true;
  modules.github-runners.enable = true;

  # =============================================================================
  # NETWORKING
  # =============================================================================
  /*networking = {
    hostName = "valefar";
    hostId = "2a07da90";
    firewall.enable = false;
    firewall.trustedInterfaces = [ "tailscale0" ];
    nameservers = [ "10.0.0.210" "1.1.1.1" ];
    useDHCP = true;
    firewall.allowedTCPPorts = [ 22 80 443 2049 2456 2457 9000 9001 9002 ];
    firewall.allowedUDPPorts = [ 2049 ];
  };*/
  networking.useNetworkd = true;
  systemd.network.enable = true;
  networking.hostName = "valefar";
  networking.hostId = "2a07da90";
  networking.firewall.enable = false;

  systemd.network.networks."10-lan" = {
    matchConfig.Name = ["enp6s0" "vm-*"];
    networkConfig = {
      Bridge = "br0";
    };
  };
  systemd.network.netdevs."br0" = {
    netdevConfig = {
      Name = "br0";
      Kind = "bridge";
    };
  };

  systemd.network.networks."10-lan-bridge" = {
    matchConfig.Name = "br0";
    networkConfig = {
      Address = ["10.0.0.30/24" "2601:5c2:8400:26c0::30/64"];
      Gateway = "10.0.0.1";
      DNS = ["10.0.0.210" "1.1.1.1" "1.0.0.1"];
      IPv6AcceptRA = true;
    };
    linkConfig.RequiredForOnline = "routable";
  };

  # DNS resolution
  services.resolved = {
    enable = true;
    dnssec = "false";
    domains = [ "~." ];
    fallbackDns = [ "10.0.0.210" "1.1.1.1" ];
    dnsovertls = "false";
  };

  # =============================================================================
  # BOOT & FILESYSTEMS
  # =============================================================================
  boot = {
    supportedFilesystems = [ "zfs" ];
    kernelModules = [ "nct6775" "coretemp" ];
    
    zfs = {
      extraPools = [ "garage" "storage" ];
      devNodes = "/dev/disk/by-id";
      forceImportAll = true;
    };
  };

  # =============================================================================
  # ZFS CONFIGURATION
  # =============================================================================
  # ZFS import services
  systemd.services.zfs-import-cache.enable = false;
  systemd.services.zfs-import-scan = {
    enable = true;
    after = [ "systemd-udev-settle.service" ];
    wants = [ "systemd-udev-settle.service" ];
  };

  # ZFS mount points
  systemd.mounts = [
    {
      what = "garage";
      where = "/garage";
      type = "zfs";
      after = [ "zfs-import-scan.service" ];
      wants = [ "zfs-import-scan.service" ];
    }
    {
      what = "storage";
      where = "/storage";
      type = "zfs";
      after = [ "zfs-import-scan.service" ];
      wants = [ "zfs-import-scan.service" ];
    }
  ];

  # ZFS maintenance
  services.zfs = {
    autoScrub.enable = true;
    trim.enable = true;
  };

  # =============================================================================
  # DIRECTORY STRUCTURE
  # =============================================================================
  systemd.tmpfiles.rules = [
    "d /storage/immich 0755 immich immich -"
    "d /storage/immich/photos 0755 immich immich -"
    "Z /storage/immich 0755 immich immich -"
    "d /storage/tm_share 0755 regent users"
  ];

  # =============================================================================
  # NFS SERVER
  # =============================================================================
  services.nfs.server = {
    enable = true;
    exports = ''
      /storage *(rw,sync,no_subtree_check,no_root_squash)
    '';
  };

  services.samba = {
    enable = true;
    settings = {
      global = {
        "workgroup" = "WORKGROUP";
        "server string" = "valefar";
        "netbios name" = "valefar";
        "security" = "user";

        "hosts allow" = "100.64.0.0/10 10.0.0.0/24 127.0.0.1 localhost";
        "hosts deny" = "0.0.0.0/0";
        "guest account" = "nobody";
        "map to guest" = "bad user";
      };

      "tm_share" = {
        "path" = "/storage/tm_share";
        "valid users" = "regent";
        "public" = "yes";
        "writeable" = "yes";
        "force user" = "regent";
        "fruit:aapl" = "yes";
        "fruit:time machine" = "yes";
        "vfs objects" = "catia fruit streams_xattr";
      };
    };
  };

  services.netatalk = {
    enable = true;
    settings = {
      time-machine = {
        path = "/storage/timemachine";
	      "valid users" = "regent";
        "time machine" = true;
      };
    };
  };

  services.avahi = {
    enable = true;
    nssmdns = true;
    publish = {
      enable = true;
      userServices = true;
    };

    extraServiceFiles = {
        timemachine = ''
        <?xml version="1.0" standalone='no'?>
        <!DOCTYPE service-group SYSTEM "avahi-service.dtd">
        <service-group>
          <name replace-wildcards="yes">%h</name>
          <service>
            <type>_smb._tcp</type>
            <port>445</port>
          </service>
            <service>
            <type>_device-info._tcp</type>
            <port>0</port>
            <txt-record>model=TimeCapsule8,119</txt-record>
          </service>
          <service>
            <type>_adisk._tcp</type>
            <!--
              change tm_share to share name, if you changed it.
            -->
            <txt-record>dk0=adVN=tm_share,adVF=0x82</txt-record>
            <txt-record>sys=waMa=0,adVF=0x100</txt-record>
          </service>
        </service-group>
      '';
    };
  };

  # =============================================================================
  # SERVICES
  # =============================================================================
  services.vscode-server = {
    enable = true;
    nodejsPackage = pkgs.nodejs_20;
  };

  # =============================================================================
  # VIRTUALIZATION
  # =============================================================================
  virtualisation.docker = {
    enable = true;
    enableOnBoot = true;
    package = pkgs.docker.override {
      buildGoModule = pkgs.buildGo123Module;
    };
  };

  # =============================================================================
  # PACKAGES
  # =============================================================================
  environment.systemPackages = with pkgs; [
    lm_sensors
    code-server
    inputs.agenix.packages.x86_64-linux.default
  ];


  # =============================================================================
  # VIRTUAL MACHINES
  # =============================================================================
  systemd.services."microvm@".after = [ "microvm-virtiofsd@%i.service" ];

  microvm.vms = {
    gameservers = {
      config = import ./gamevm.nix;
    };
  };

  microvm.autostart = [
    "gameservers"
  ];
}