{ config, pkgs, ... }:

{
  users.users.admin.linger = true;
  age.identityPaths = [ "${config.users.users.admin.home}/.ssh/id_ed25519" ];

  nixpkgs.config.allowUnfree = true;
  hardware.nvidia-container-toolkit.enable = true;

  services.xserver.videoDrivers = [ "nvidia" ];

  hardware.graphics.enable = true;

  hardware.nvidia = {
    modesetting.enable = true;
    powerManagement.enable = true;
    powerManagement.finegrained = false;
    open = false;
    nvidiaSettings = false;
    package = config.boot.kernelPackages.nvidiaPackages.stable;
  };

  networking.hostName = "nixos-server";

  boot.loader.grub.enable = true;
  boot.loader.grub.device = "/dev/vda";
  boot.loader.grub.useOSProber = true;

  environment.systemPackages = with pkgs; [
    zsh
    htop
    fastfetch
    restic
    nixpkgs-fmt
    nixfmt-rfc-style
  ];

  networking.firewall.enable = false;
  networking.interfaces.ens18.ipv4.addresses = [
    {
      address = "192.168.0.30";
      prefixLength = 24;
    }
  ];
  networking.defaultGateway = "192.168.0.1";
  networking.nameservers = [ "1.1.1.1" ];

  boot.kernel.sysctl = {
    "net.ipv4.ip_unprivileged_port_start" = 80;
    "net.ipv4.conf.all.src_valid_mark" = 1;
    "net.ipv4.conf.all.forwarding" = 1;
    "net.ipv4.ip_forward" = 1;
  };

  virtualisation = {
    containers.enable = true;
    podman = {
      enable = true;
      autoPrune.enable = true;
      # Create a `docker` alias for podman, to use it as a drop-in replacement
      dockerCompat = true;
      # Required for containers under podman-compose to be able to talk to each other.
      defaultNetwork.settings.dns_enabled = true;
    };
  };

  age.secrets = {
    "restic/environmentFile".file = ../../secrets/restic/environmentFile.age;
    "restic/repositoryFile".file = ../../secrets/restic/repositoryFile.age;
    "restic/passwordFile".file = ../../secrets/restic/passwordFile.age;
  };

  services.restic.backups.backup = {
    initialize = true;
    environmentFile = config.age.secrets."restic/environmentFile".path;
    repositoryFile = config.age.secrets."restic/repositoryFile".path;
    passwordFile = config.age.secrets."restic/passwordFile".path;

    paths = [
      "/mnt/services"
      "/mnt/data"
    ];

    exclude = [
      "/mnt/services/cctv"
    ];

    pruneOpts = [
      "--keep-daily 7"
      "--keep-weekly 5"
      "--keep-monthly 12"
    ];

  };

  systemd.timers."prune-podman" = {
    wantedBy = [ "timers.target" ];
    timerConfig = {
      OnCalendar = "weekly";
      Persistent = true;
      Unit = "podman-prune.service";
    };
  };

  systemd.services."prune-podman" = {
    script = ''
      set -eu
      ${pkgs.coreutils}/bin/echo "heeeeelpppppp"
      ${pkgs.podman}/bin/podman system prune -af
    '';
    serviceConfig = {
      Type = "oneshot";
      User = "admin";
    };
  };

  system.stateVersion = "24.11";

  # give permissions for zigbee USB transceiver
  system.activationScripts.script.text = ''chmod o+rw /dev/ttyACM0'';
}