{ config, pkgs, ... }:

{
  imports = [
    ./hardware-configuration.nix
  ];

  boot.loader.grub.enable = true;
  boot.loader.grub.version = 2;
  boot.loader.grub.device = "/dev/vda";

  boot.kernel.sysctl."net.core.rmem_max" = 2500000;
  boot.kernel.sysctl."kernel.hostname" = "atlantis.zotan.network";

  networking = {
    hostName = ""; # no FQDN support :(
    useDHCP = false;
    interfaces.enp1s0.ipv4.addresses = [{
      address = "10.42.0.4";
      prefixLength = 24;
    }];
    interfaces.enp1s0.ipv6.addresses = [{
      address = "2a01:4f8:241:5bb4:acab::2";
      prefixLength = 64;
    }];
    defaultGateway = {
      address = "116.202.163.154";
      interface = "enp1s0";
    };
    defaultGateway6 = {
      address = "fe80::1";
      interface = "enp1s0";
    };
    nameservers = ["1.1.1.1"];  
    firewall = {
      allowedTCPPorts = [ 80 443 ];
      allowedUDPPorts = [ 443 ];
      package = pkgs.iptables-nftables-compat;
    };
  };

  time.timeZone = "Europe/Berlin";

  security.sudo.wheelNeedsPassword = false;

  users = {
    mutableUsers = false;
    users = {
      zotan = {
        home = "/home/zotan";
        isNormalUser = true;
        extraGroups = [ "wheel" ];
        hashedPassword = "$6$iKwOP5T6P8BV0sHt$f2xjotyDs7ohIgzDq7ypHiQU.hI6evfgbAuOyMoId3aNj/6MDuo7AgmCBF.7Y0BnL/rNcXBqDXjNSWf6xtRwp.";
        openssh = {
          authorizedKeys = {
            keys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKWDArL4+m9kUmLyWcmUby5+CVrmBThP0KbQWep32+BF laura@zotan.network"];
          };
        };
      };

      root = {
        hashedPassword = "$6$Zu.eBdDB1fhE4tKR$gZ6wgCaWZxhI.BLyONpwifH3vRoYcJ8/84n.cWJgZiItF09XZdajvqm8tvM19zCBqDqdBMFpeqF3.DWEfv7Ul0";
        openssh = {
          authorizedKeys = {
            keys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKWDArL4+m9kUmLyWcmUby5+CVrmBThP0KbQWep32+BF laura@zotan.network"];
          };
        };
      };

      php = {
        isSystemUser = true;
        createHome = false;
        group = "php";
      };
    };

    groups.php = {};
  };

  environment.systemPackages = with pkgs; [
    wget
    nftables
    htop
    git
  ];

  services.openssh = {
    enable = true;
    passwordAuthentication = false;
  };

  services.caddy = {
    enable = true;
    globalConfig = ''
      servers :443 {
        protocol {
          experimental_http3
        }
      }
    '';
    virtualHosts = {
      "h3.zotan.pw" = {
        extraConfig = ''
          root * ${(builtins.fetchGit { url = "https://git.ztn.sh/zotan/zotan.pw-web.git"; ref = "dev"; name = "zotan.pw-web-${toString __currentTime}"; }).outPath}
          encode gzip zstd
          try_files /blog/posts/{path} {path}.php

          file_server {
            precompressed zstd br gzip
          }

          # "legacy" PHP
          route {
            # Add trailing slash for directory requests
            @canonicalPath {
              file {path}/index.php
              not path */
            }
            redir @canonicalPath {path}/ 308

            # If the requested file does not exist, try index files
            @indexFiles file {
              try_files {path} {path}/index.php
              split_path .php
            }
            rewrite @indexFiles {http.matchers.file.relative}

            # Proxy PHP files to the FastCGI responder
            @phpFiles path *.php
            reverse_proxy @phpFiles unix/${config.services.phpfpm.pools.caddy.socket} {
              transport fastcgi {
                split .php
              }
            }
          }
        '';
      };
    };
  };

  services.phpfpm.pools = {
    caddy = {
      user = "php";
      group = "php";
      phpPackage = pkgs.php;
      settings = {
        "listen.owner" = config.services.caddy.user;
        "pm" = "dynamic";
        "pm.max_children" = 75;
        "pm.start_servers" = 10;
        "pm.min_spare_servers" = 5;
        "pm.max_spare_servers" = 20;
        "pm.max_requests" = 500;
      };
    };
  };

  system.stateVersion = "21.11"; # Leave this alone
}