{ config, pkgs, lib, private, hostName, ... }:
{
imports = [
  ../nixos/profiles/dnscrypt-proxy2.nix
  ../nixos/profiles/graphical.nix
  ../nixos/profiles/lang-fr.nix
  ../nixos/profiles/networking.nix
  ../nixos/profiles/printing.nix
  ../nixos/profiles/security.nix
  ../nixos/profiles/system.nix
  ../nixos/profiles/tor.nix
  ../nixos/profiles/wireguard/wg-intra.nix
  oignon/backup.nix
  oignon/hardware.nix
  oignon/wireguard.nix
];

home-manager.users.julm = {
  imports = [ ../homes/julm.nix ];
  host.hardware = [ "ThinkPad" "X201" ];
};
systemd.services.home-manager-julm.postStart = ''
  ${pkgs.nix}/bin/nix-env --delete-generations +1 --profile /nix/var/nix/profiles/per-user/julm/home-manager
'';
users.users.julm = {
  isNormalUser = true;
  uid = 1000;
  # Put the hashedPassword in /nix/store, but it will also be in /etc/passwd
  # which is already world readable.
  hashedPassword = lib.readFile ../private/world/julm/hashedPassword;
  extraGroups = [
    "adbusers"
    "lp"
    "networkmanager"
    "scanner"
    "tor"
    "video"
    "wheel"
    #"ipfs"
    config.services.davfs2.davGroup
    #"vboxusers"
  ];
  # If created, zfs-mount.service would require:
  # zfs set overlay=yes ${hostName}/home
  createHome = false;
  openssh.authorizedKeys.keys = map lib.readFile [
    ../private/shared/ssh/julm/losurdo.pub
  ];
};

nix = {
  extraOptions = ''
    secret-key-files = ${private}/${hostName}/nix/binary-cache/priv.pem
  '';
  trustedUsers = [ config.users.users."julm".name ];
  binaryCaches = [
    #"http://nix-localcache.losurdo.wg"
    "ssh://nix-ssh@losurdo.wg?priority=30"
  ];
  binaryCachePublicKeys = map lib.readFile [
    ../private/shared/nix/losurdo.pub
  ];
};
#environment.etc."nixpkgs".source = pkgs.path;
#environment.etc."nixpkgs-overlays".source = inputs.self + "/nixpkgs";

nix.allowedUsers = [ config.users.users."nix-ssh".name ];
nix.sshServe = {
  enable = true;
  keys = map lib.readFile [
    ../private/shared/ssh/julm/losurdo.pub
    ../private/shared/ssh/sevy/patate.pub
    ../private/shared/ssh/julm/oignon.pub
  ];
};

environment.systemPackages = [
  pkgs.riseup-vpn # Can't be installed by home-manager because it needs to install policy-kit rules
];

boot.extraModulePackages = [
  #config.boot.kernelPackages.v4l2loopback
];

programs.fuse.userAllowOther = true;

fileSystems =
  # Use the user's gpg-agent session to query
  # for the password of the SSH key when auto-mounting.
  let
    sshAsUser = user:
      pkgs.writeScript "sshAsUser-${user}" ''
         exec ${pkgs.sudo}/bin/sudo -i -u ${user} \
           ${pkgs.openssh}/bin/ssh "$@"
      '';
    options =
      [
        "noatime" "noexec" "nosuid"
        "user" "uid=julm" "gid=users" "allow_other"
        "_netdev" "ssh_command=${sshAsUser "julm"}" #  "reconnect"
        "noauto" "x-gvfs-hide" "x-systemd.automount"
        #"Compression=yes" # YMMV
        # Disconnect approximately 2*15=30 seconds after a network failure
        "ServerAliveCountMax=1"
        "ServerAliveInterval=15"
      ];
  in {
  "/mnt/losurdo" = {
    device = "${pkgs.sshfsFuse}/bin/sshfs#julm@losurdo.wg:/";
    fsType = "fuse";
    inherit options;
  };
  "/mnt/mermet" = {
    device = "${pkgs.sshfsFuse}/bin/sshfs#julm@mermet.wg:/";
    fsType = "fuse";
    inherit options;
  };
};

networking.firewall.extraCommands = ''
  ip46tables -A nixos-fw -i wg-intra -p tcp -m tcp --dport 8000 -j ACCEPT
'';

services.ipfs = {
  #enable = true;
  defaultMode = "online";
  autoMount = true;
  enableGC = true;
  localDiscovery = false;
  extraConfig = {
    Datastore.StorageMax = "10GB";
    Discovery.MDNS.Enabled = false;
    #Bootstrap = [
    #];
    #Swarm.AddrFilters = null;
  };
  startWhenNeeded = true;
};

services.udev.packages = [
  # Allow the console user access the Yubikey USB device node,
  # needed for challenge/response to work correctly.
  pkgs.yubikey-personalization
];

services.xserver = {
  desktopManager = {
    session = [
      # Let the session be generated by home-manager
      { name = "home-manager";
        start = ''
          ${pkgs.runtimeShell} $HOME/.hm-xsession &
          waitPID=$!
        '';
      }
    ];
  };
  displayManager = {
    defaultSession = "home-manager";
    #defaultSession = "none+xmonad";
    #defaultSession = "mate";
    #defaultSession = "cinnamon";
    autoLogin = {
      user = config.users.users.julm.name;
    };
  };
};

# This value determines the NixOS release with which your system is to be
# compatible, in order to avoid breaking some software such as database
# servers. You should change this only after NixOS release notes say you should.
system.stateVersion = "20.09"; # Did you read the comment?
}