{ config, pkgs, lib, inputs, hostName, ... }:
{
imports = [
  #../nixos/profiles/debug.nix
  ../nixos/profiles/lang-fr.nix
  ../nixos/profiles/security.nix
  ../nixos/profiles/system.nix
  #../nixos/profiles/tor.nix
  aubergine/hardware.nix
  aubergine/networking.nix
];

# Lower kernel's security for better performances
boot.kernelParams = [ "mitigations=off" ];

environment.etc.machine-id.source = aubergine/machine-id;

home-manager.users.julm = {
  imports = [ ../homes/julm.nix ];
};
systemd.services.home-manager-julm.postStart = ''
  ${pkgs.nix}/bin/nix-env --delete-generations +1 --profile /nix/var/nix/profiles/per-user/julm/home-manager
'';
users.users.julm = {
  isNormalUser = true;
  uid = 1000;
  # Put the hashedPassword in /nix/store, but it will also be in /etc/passwd
  # which is already world readable.
  # printf %s $(mkpasswd -m md5crypt)
  hashedPassword = lib.readFile aubergine/users/julm/login/hashedPassword;
  extraGroups = [
    "adbusers"
    "dialout"
    "networkmanager"
    "tor"
    "wheel"
  ];
  # If created, zfs-mount.service would require:
  # zfs set overlay=yes ${hostName}/home
  createHome = true;
  openssh.authorizedKeys.keys = map lib.readFile [
    ../users/root/ssh/losurdo.pub
    ../users/julm/ssh/losurdo.pub
    ../users/julm/ssh/oignon.pub
    ../users/julm/ssh/redmi.pub
  ];
};
users.users.root = {
  hashedPassword = "!";
  openssh.authorizedKeys.keys =
    config.users.users.julm.openssh.authorizedKeys.keys;
};

#systemd.services.nix-daemon.serviceConfig.LoadCredentialEncrypted =
#  "secret-key-files:" + aubergine/nix/secret-key-files;
nix = {
  extraOptions = ''
    #secret-key-files = /run/credentials/nix-daemon.service/secret-key-files.pem
  '';
  settings = {
    trusted-users = [ config.users.users."julm".name ];
    substituters = [
      #"http://nix-localcache.losurdo.wg"
      #"ssh://nix-ssh@losurdo.wg?priority=30"
      #"ssh://nix-ssh@oignon.wg?priority=30"
    ];
    trusted-public-keys = map lib.readFile [
      ../users/root/nix/oignon.pub
    ];
  };
  nixPath = lib.mkForce [ "nixpkgs=${inputs.nixpkgs}" ];
};
#environment.etc."nixpkgs".source = pkgs.path;
#environment.etc."nixpkgs-overlays".source = inputs.self + "/nixpkgs";

nix.settings.allowed-users = [ config.users.users."nix-ssh".name ];
nix.sshServe = {
  enable = true;
  keys = map lib.readFile [
    ../users/julm/ssh/losurdo.pub
    ../users/sevy/ssh/patate.pub
    ../users/julm/ssh/oignon.pub
  ];
};

environment.systemPackages = [
];

boot.extraModulePackages = [
  #config.boot.kernelPackages.v4l2loopback
];

# This value determines the NixOS release with which your system is to be
# compatible, in order to avoid breaking some software such as database
# servers. You should change this only after NixOS release notes say you should.
system.stateVersion = "22.11"; # Did you read the comment?
}