{ config, lib, pkgs, ... }:

let
  # Module
  host = config.host;

  # Resources
  palette = import ./resources/palette.nix;
in
{
  imports = [
    ./components/backup.nix
    ./components/keyboard.nix
    ./components/locale.nix
    ./components/mail.nix
    ./components/printer.nix
    ./components/scanner.nix
  ];

  # Pending NixOS/nixpkgs#55674
  options.allowedUnfree = lib.mkOption { type = lib.types.listOf lib.types.str; };

  options.host = {
    name = lib.mkOption { type = lib.types.str; };
    local = lib.mkOption { type = lib.types.path; };
    resources = lib.mkOption { type = lib.types.path; };
    wireguard = {
      ip = lib.mkOption { type = lib.types.str; };
      port = lib.mkOption { type = lib.types.int; };
      peers = lib.mkOption {
        type = lib.types.attrsOf (lib.types.submodule { options = {
          ip = lib.mkOption { type = lib.types.str; };
          key = lib.mkOption { type = lib.types.str; };
          endpoint = lib.mkOption { type = lib.types.str; };
        }; });
      };
    };
  };

  config = {
    nixpkgs.overlays = [ (import ./packages.nix) ];

    # Nix
    nix.settings.auto-optimise-store = true;
    nix.gc = { automatic = true; options = "--delete-older-than 7d"; };
    nix.extraOptions = ''
      # Recommended by nix-direnv
      keep-outputs = true
      keep-derivations = true
    '';
    nixpkgs.config.allowUnfreePredicate = p: builtins.elem (lib.getName p) config.allowedUnfree; # Pending NixOS/nixpkgs#55674
    nix.daemonCPUSchedPolicy = "batch";
    system.activationScripts.diff = ''
      PATH="${lib.makeBinPath [ pkgs.nix ]}" \
        ${pkgs.nvd}/bin/nvd diff '/run/current-system' "$systemConfig"
    '';

    # Boot
    allowedUnfree = [ "memtest86-efi" ];
    boot.loader.systemd-boot.enable = true;
    boot.loader.systemd-boot.memtest86.enable = true;
    boot.loader.efi.canTouchEfiVariables = true;
    boot.plymouth.enable = true;

    # Swap
    zramSwap.enable = true;

    # Filesystems
    boot.initrd.luks = {
      gpgSupport = true;
      devices.pv = {
        device = "/dev/disk/by-partlabel/pv-enc";
        allowDiscards = true;
        fallbackToPassword = true;
        gpgCard.encryptedPass = ./local/resources/luks-passphrase.gpg;
        gpgCard.publicKey = ./resources/andrew.asc;
      };
    };
    fileSystems."/".options = [ "compress=zstd:2" "discard=async" "noatime" ];
    services.btrfs.autoScrub.enable = true;
    boot.cleanTmpDir = true;

    # Time
    time.timeZone = "America/Los_Angeles";

    # Networking
    networking.hostName = host.name;
    networking.domain = "home.arpa";
    networking.search = [ "home.arpa" ];
    networking.extraHosts = lib.concatStringsSep "\n"
      (lib.mapAttrsToList (hostname: peer: "${peer.ip} ${hostname}") host.wireguard.peers);
    systemd.network = {
      enable = true;
      netdevs."90-wg0" = {
        netdevConfig = { Name = "wg0"; Kind = "wireguard"; };
        wireguardConfig.PrivateKeyFile = "/var/lib/wireguard/wg0.key";
        wireguardPeers = lib.mapAttrsToList (_: peer: {
          wireguardPeerConfig = {
            AllowedIPs = [ "${peer.ip}/32" ];
            Endpoint = peer.endpoint;
            PublicKey = peer.key;
          };
        }) host.wireguard.peers;
      };
      networks."90-wg0" = { name = "wg0"; address = [ "${host.wireguard.ip}/24" ]; };
    };
    # Workaround for https://gitlab.gnome.org/GNOME/gnome-shell/-/issues/6235
    networking.networkmanager.unmanaged = [ "wg0" ];

    # Workaround for `avahi-daemon[1234]: Failed to read /etc/avahi/services.`
    # Upstream: https://github.com/lathiat/avahi/blob/v0.8/avahi-daemon/static-services.c#L917-L919
    system.activationScripts.etcAvahiServices = "mkdir -p /etc/avahi/services";

    # Console
    console.packages = with pkgs; [ terminus_font ];
    console.font = "ter-v32n";
    console.colors = map (lib.removePrefix "#") (with palette; [
      "#000000" red green yellow blue orange purple white
      gray red green yellow blue orange purple white
    ]);

    # Power
    systemd.ctrlAltDelUnit = "poweroff.target";
    services.irqbalance.enable = true;

    # Authentication
    security.pam.u2f = {
      enable = true;
      appId = "pam://${host.name}";
      authFile = host.local + "/resources/andrew.u2f";
      control = "sufficient";
      cue = true;
    };

    # Authorization
    security.sudo.extraRules = [
      {
        groups = [ "wheel" ];
        commands = [
          { command = "/run/current-system/sw/bin/btrfs balance start --enqueue -dusage=50 -musage=50 /"; options = [ "NOPASSWD" ]; }
          { command = "/run/current-system/sw/bin/nix-channel --update"; options = [ "NOPASSWD" ]; }
          { command = "/run/current-system/sw/bin/nixos-rebuild boot"; options = [ "NOPASSWD" ]; }
          { command = "/run/current-system/sw/bin/nixos-rebuild switch"; options = [ "NOPASSWD" ]; }
          { command = "/run/current-system/sw/bin/poweroff"; options = [ "NOPASSWD" ]; }
        ];
      }
    ];

    # SSH
    services.openssh = { enable = true; passwordAuthentication = false; };

    # Service monitoring
    systemd.services."alert@" = {
      description = "Alert of failed %I";
      serviceConfig.SyslogIdentifier = "%p";
      serviceConfig.Type = "oneshot";
      serviceConfig.ExecStart = with pkgs; ''
        ${bash}/bin/bash -c "${system-sendmail}/bin/sendmail -i root \
        <<< $'Subject: %I failed\n\n'\"$(systemctl --full status %I)\""
      '';
    };

    # SMART monitoring
    services.smartd = {
      enable = true;
      notifications.mail.enable = true;
    };

    # Firmware updates
    hardware.enableRedistributableFirmware = true;
    services.fwupd.enable = true;

    # Audio
    hardware.pulseaudio.enable = false;
    security.rtkit.enable = true;
    systemd.services.rtkit-daemon.serviceConfig.LogLevelMax = "notice";
    services.pipewire = {
      enable = true;
      alsa = { enable = true; support32Bit = true; };
      pulse.enable = true;
    };

    # Virtualization
    virtualisation = {
      containers.registries.search = [ "docker.io" ];
      docker = { enable = true; enableOnBoot = false; autoPrune.enable = true; };
      podman.enable = true;
      libvirtd.enable = true;
    };

    # OpenPGP
    services.pcscd.enable = true;
    programs.gnupg.agent = { enable = true; enableSSHSupport = true; };

    # Graphical environment
    services.xserver.enable = true;
    services.xserver.displayManager.gdm.enable = true;
    services.xserver.desktopManager.gnome.enable = true;

    # Applications
    environment.localBinInPath = true;
    environment.sessionVariables.NIXOS_OZONE_WL = "1";
    environment.gnome.excludePackages = with pkgs; [
      gnome.epiphany
      gnome.geary
      gnome.gnome-calculator
      gnome.gnome-maps
      gnome.gnome-music
      gnome.gnome-weather
      gnome-photos
    ];
    programs.zsh.enable = true;

    # Users
    users.mutableUsers = false;
    users.groups.ak.gid = 1000;
    users.users.ak = {
      isNormalUser = true;
      uid = 1000;
      group = "ak";
      extraGroups = [
        "wheel"
        "networkmanager"
        "lp"
        "scanner"
        "podman"
        "docker"
        "libvirtd"
        "ydotool"
      ];
      description = "Andrew";
      hashedPassword = builtins.readFile ./local/resources/ak.passwd;
      shell = pkgs.zsh;
      openssh.authorizedKeys.keys = [ (builtins.readFile ./resources/andrew.pub) ];
    };
  };
}