{ config
, pkgs
, inputs
, lib
, ...
}: {
  imports = [
    ./hardware-configuration.nix
    ./containers
    ./caddy.nix
    ./gui.nix
    ./drives.nix
    ./games/palworld.nix
    ./games/minecraft
    ./services
    inputs.common-modules.nixosModules.nixos-upgrade
    ./remote-builder.nix
  ];

  nixpkgs = {
    config = {
      allowUnfree = true;
    };

    overlays = [
      inputs.nix-minecraft-plugin-upgrade.overlays.default
    ];
  };

  system.autoUpgrade = {
    enable = true;
    allowReboot = true;
    flake = "/etc/nixos";
    updateFlake = true;

    # minecraft plugin auto update
    extraCommands =
      let
        plugins = [
          "simple-voice-chat" # https://modrinth.com/plugin/simple-voice-chat
          "worldedit" # https://modrinth.com/plugin/worldedit
        ];

        pluginFile = "games/minecraft/paper-vanilla-plugins.nix";
      in
      ''
        nix-minecraft-plugin-upgrade --loader paper --game-version 1.21.4 --project ${builtins.concatStringsSep " --project " plugins} --file ${pluginFile}
        git add ${pluginFile}
        git commit ${pluginFile} -m "Updated ${pluginFile}"
      '';
  };

  nix = {
    package = pkgs.lix;
    gc = {
      automatic = true;
      dates = "weekly";
    };
    optimise = {
      automatic = true;
      dates = [ "06:00" ];
    };
    settings = {
      sandbox = false; # Caddy cannot be built in a sandbox because it retrieves external dependencies (i.e. cloudflare-dns module)
      experimental-features = [ "nix-command" "flakes" ];
      auto-optimise-store = true;
      allowed-users = [
        "@wheel"
        "owo"
      ];
    };
  };

  boot = {
    supportedFilesystems = [ "btrfs" "mergerfs" ];
    tmp.cleanOnBoot = true;
    # Nvidia driver on latest kernel
    # kernelPackages = pkgs.linuxPackages_latest;
    loader = {
      systemd-boot = {
        enable = true;
        configurationLimit = 5;
      };
      efi.canTouchEfiVariables = true;
    };
  };

  systemd.services.tailscaled.environment = {
    TS_NO_LOGS_NO_SUPPORT = "true";
  };

  networking = {
    hostName = "server";
    networkmanager.enable = true;
    resolvconf = {
      enable = true;
      useLocalResolver = true; # prefers tailscale dns otherwise
    };
    nameservers = [
      "127.0.0.1"

      # cloudflare
      "1.1.1.1"
      "1.0.0.1"
    ];

    interfaces.enp0s31f6q = {
      ipv6.addresses = [{
        address = "2001:7d0:84a6:5900:263a:6e9b:63e4:3b82";
        prefixLength = 64;
      }];
      ipv4.addresses = [{
        address = "192.168.1.131";
        prefixLength = 24;
      }];
    };

    firewall = {
      enable = true;
      allowedTCPPorts = [
        # HTTP/HTTPS
        80
        443
      ];
    };
  };

  time.timeZone = "Europe/Tallinn";

  i18n = {
    defaultLocale = "en_GB.UTF-8";
    extraLocaleSettings = {
      LC_ADDRESS = "et_EE.UTF-8";
      LC_IDENTIFICATION = "et_EE.UTF-8";
      LC_MEASUREMENT = "et_EE.UTF-8";
      LC_MONETARY = "et_EE.UTF-8";
      LC_NAME = "et_EE.UTF-8";
      LC_NUMERIC = "et_EE.UTF-8";
      LC_PAPER = "et_EE.UTF-8";
      LC_TELEPHONE = "et_EE.UTF-8";
      LC_TIME = "et_EE.UTF-8";
    };
  };

  hardware = {
    nvidia = {
      package = config.boot.kernelPackages.nvidiaPackages.stable;
      modesetting.enable = true;
      open = false; # enable soon
    };
    nvidia-container-toolkit.enable = true;
  };

  virtualisation.docker = {
    enable = true;
    autoPrune.enable = true;
  };

  environment.variables = {
    EDITOR = lib.getExe pkgs.helix;
    VISUAL = lib.getExe pkgs.helix;
  };

  programs = {
    mosh.enable = true;
    git.enable = true;
    fish.enable = true;
    ssh.startAgent = true;
  };

  security = {
    sudo.wheelNeedsPassword = false;
    acme = {
      acceptTerms = true;
      defaults.email = "ssl@catnip.ee";
    };
  };

  services = {
    borgbackup.jobs."borgbase" = {
      paths = [
        # maybe only include /var/lib?
        "/var/lib/mysql"
        "/var/lib/postgresql"
        "/var/lib/acme"
        "/var/lib/tailscale"
        "/var/lib/caddy"
        "/var/lib/syncthing"

        "/etc/secrets"
        "/etc/nixos"
      ];

      repo = "ssh://uq9l5635@uq9l5635.repo.borgbase.com/./repo";
      encryption = {
        mode = "repokey-blake2";
        passCommand = "cat /etc/secrets/borgpass";
      };
      environment.BORG_RSH = "ssh -i /home/owo/.ssh/id_rsa";
      compression = "auto,lzma";
      startAt = "daily";
    };
    syncthing = {
      enable = true;
      guiAddress = "0.0.0.0:8384";
      openDefaultPorts = true;
    };
    tailscale = {
      enable = true;
      useRoutingFeatures = "server";
      extraSetFlags = [
        "--advertise-exit-node"
      ];
      permitCertUid = "caddy";
      port = 0;
    };

    # /var/lib/postgresql
    postgresql = {
      enable = true;
      package = pkgs.postgresql_16;
      enableTCPIP = true;
      initialScript = pkgs.writeText "backend-initScript" ''
        CREATE USER "matrix-synapse";
        CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
          LOCALE 'C'
          ENCODING 'UTF8'
          TEMPLATE template0;
      '';

      identMap = ''
        superuser_map  root     mastodon
        superuser_map  mastodon mastodon

        superuser_map  root           matrix-synapse
        superuser_map  matrix-synapse matrix-synapse

        superuser_map  root    forgejo
        superuser_map  forgejo forgejo

        superuser_map  root     postgres
        superuser_map  postgres postgres

        superuser_map  root     wakapi
        superuser_map  wakapi   wakapi

        superuser_map  root      nextcloud
        superuser_map  nextcloud nextcloud
      '';
      authentication = pkgs.lib.mkOverride 10 ''
        #type database  DBuser  auth-method optional_ident_map
        local sameuser  all     peer        map=superuser_map
      '';
    };

    openssh = {
      enable = true;
      settings = {
        PasswordAuthentication = false;
        PermitRootLogin = "no";
      };
    };

    cloudflare-dyndns = {
      enable = false; # broken, related https://github.com/NixOS/nixpkgs/pull/394352
      apiTokenFile = "/etc/secrets/cloudflare-dyndns.env";
      ipv4 = true;
      ipv6 = true;
      domains = [
        "catnip.ee"
      ];
    };
  };

  users = {
    defaultUserShell = pkgs.fish;

    users = {
      owo = {
        isNormalUser = true;
        extraGroups = [ "networkmanager" "wheel" "docker" ];
        openssh.authorizedKeys.keys = [
          "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDhXnulnINZ/hBBwHhzl35UsFcFUwxwaaFVFwCgIgOHmlJhknhpq5UQDbV6JoouFMgN48uBDD5/vcYjvS0UYFMBTox0MmJK+Yt4AnNusHkf8j1XCiXxHsicQilxJgu7yZJJRd2TAIqWlautW+VjuXOssN08x0pvtiupefDz6Li7A4SnS1iGsNTgypJaemquEYRge3hC043kaubuSgqNKknK65zA9aLp9h31r9W5K6N+k+ll+TPyyWZdsJMnaqWmoIS1+fpAdG5wMPZbR503dLPFzdprwy8FSoTzkD8aKyEdtzzQboS3b7s2DfFvOy3uoKy5bcMOl6Fm1dos90TFiOjCQmF9+WKG8qteeAtizd04Fmi8JRipODCgkvDFj8YAHaB2w5+xNpCYwJTOdHQZflOo25725aIDXZ2afg3evSdVZgJ0PPiWs6fnJMqbJCrzLsBxfN7vAbWzHHTBIuXrtidwY/x/XTs5n4mm4OukyOQF5YjYXy39WIlzjk3uMR0m8ec= lain@navi" # desktop
          "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDTbuZLmu2F2EWMl1cXwZqYQwuFDyMyPf+d6MospDs+UaFzKFJdtDlb5+uFkkz9gHf8rCBOnXi6bLGgZNxUhTgEBka0RQVCIqRDjOJAWtwG0zLg/mQ9c1Ug2/9kH/PRjy+GGGzz3GVw7HNZNUjAkNr/kIX4t0L8uBqqkgcM/woBH8S/rV3Xs30XWi9mNkx1J4Z5fqtBBeF2GAd02i2PsUMnGfZSwwJy3mhBhI+Vw5mtsS1QJWd9LrsRfLbtzVHWm4MGr3O0F34ij8BV1uzaHfopn0vKilI/dq8HfjuYjKr33CB5f3C1OdcuFfwqE3ZDxZcaOshqXimt9MrYLXaMv0i7I7a3r33ij2hl9d9oh3Z72yt+wAAdgTJ23Xrwzr4P9Iu4BsayG5bQC6IVLv3Eef5TcPKSXmmtCr2hFLYUMQmlPptrUOf1tmB/7oYo3vJe2cz07PxuxZZ20F3MXugoUTfsnuwAH2chT4xL/TnS4Kbs12QoPFjdG1v/0Z8fVD1ysoU= mina@navi" # laptop
        ];
        packages = with pkgs; [
          # gui
          firefox
          mpv

          helix
          magic-wormhole-rs
          ffmpeg
          speedtest-cli
          htop
          progress
          duperemove
          tmux
          du-dust # du alternative
          dogedns # dig alternative
          wget

          nix-minecraft-plugin-upgrade
        ];
      };
    };
  };

  system.stateVersion = "23.05";
}