{ config, pkgs, lib, ... }:

{
	imports = [ 
		./hardware-configuration.nix 
		../../common/services/ssh.nix
		../../common/users.nix
		./services/acme.nix
		./services/coturn.nix
		./services/nginx.nix
		./services/postgres.nix
		./services/synapse.nix
		./services/ttrss.nix
		./services/gitea.nix
		./services/restic.nix
		./services/vaultwarden.nix
		./services/wireguard.nix
		./data/secrets/secrets.nix
		];

	boot.loader.grub.enable = true;
	boot.loader.grub.version = 2;
	boot.loader.grub.device = "/dev/sda";
	boot.kernelPackages = pkgs.linuxPackages_5_10;
	boot.supportedFilesystems = ["zfs"];
	services.zfs.autoSnapshot.enable = true;
	services.zfs.autoScrub.enable = true;

	networking.hostName = "wind";
	networking.hostId = "929e7fb7";
	time.timeZone = "Europe/Copenhagen";
	networking.useDHCP = false;
	networking.interfaces.ens3.useDHCP = true;
	networking.interfaces.ens3.ipv6.addresses = [ { address = "2a01:4f9:c010:34cb::1"; prefixLength = 64; } ];
	networking.defaultGateway6 = { address = "fe80::1"; interface = "ens3"; };

	users.users.deploy-web = {
		isNormalUser = true;
		extraGroups = [ "nginx" ];
		openssh.authorizedKeys.keys = [ 
			"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILk4m1uJzxd7pDmMZgnZxqD6lEIfVPf+I4tKPo0jJJrK deploy@drone.data.coop"
		];
	};

	security.sudo.wheelNeedsPassword = false;

	environment.systemPackages = with pkgs; [
		vim
		htop
		iotop
		dig
	];

	nix = {
		autoOptimiseStore = true;
		trustedUsers = [
			"root"
			"@wheel"
		];
	};


	# Use hetzner firewall instead
	networking.firewall.enable = false;
	# networking.firewall.allowedTCPPorts = [ 22 80 443 3478 5349 ];
	# networking.firewall.allowedUDPPorts = [ 3478 5349 ]
	# networking.firewall.allowedUDPPortsRanges = [ { from = 49152; to = 49999; } ];

	users.groups.acme.members = [ "nginx" "turnserver" "gitea" ];
	users.groups.backup.members = [ "matrix-synapse" "postgres" "gitea" "vaultwarden" ];

	system.stateVersion = "21.05";

}