{ inputs, pkgs, lib, config, hostName, ... }:
let
  inherit (config.users) users;
in
{
imports = [
  ../../members/julm.nix
];

nixpkgs.config.allowUnfree = true; # for hplip
nix.settings.trusted-users = [
  users."julm".name
];

users = {
  mutableUsers = false;
  users = {
    root = {
      openssh.authorizedKeys.keys =
        users."julm".openssh.authorizedKeys.keys;
      hashedPassword = "!";
    };
    gnupg = {
      openssh.authorizedKeys.keys =
        users."root".openssh.authorizedKeys.keys;
    };
    julm = {
      openssh.authorizedKeys.keys = [
      ];
    };
    sevy = {
      openssh.authorizedKeys.keys = [
        (lib.readFile (inputs.secrets + "/members/ssh/sevy-patate.pub"))
        (lib.readFile (inputs.secrets + "/members/ssh/julm-carotte.pub"))
      ];
      isNormalUser = true;
      uid = 1001;
    };
  };
  groups = {
    adbusers.members = [
      users."julm".name
    ];
    dialout.members = [
      users."julm".name
    ];
    tor.members = [
      users."julm".name
    ];
    wheel.members = [
      users."julm".name
    ];
    gpg-agent.members = [
      users."julm".name
    ];
  };
};

#security.gnupg.secrets."/root/.ssh/id_ed25519" = {
#  gpg = "${gnupg.store}/ssh/root.ssh-ed25519.gpg";
#};

networking.nftables.ruleset = ''
  table inet filter {
    chain output-net-julm {
      tcp dport {smtp, submissions} counter accept comment "SMTP"
      tcp dport nicname counter accept comment "Whois"
      tcp dport imaps counter accept comment "IMAPS"
      tcp dport ircs-u counter accept comment "IRCS"
      tcp dport 2222 counter accept comment "SSH(boot)"
      tcp dport xmpp-client counter accept comment "XMPP"
      tcp dport hkp counter accept comment "HKP"
      tcp dport {9009,9010,9011,9012,9013} counter accept comment "croc"
      udp dport 33434-33523 counter accept comment "traceroute"
      udp dport 60000-61000 counter accept comment "Mosh"
    }
    chain output-net {
      skuid ${users.julm.name} jump output-net-julm
    }
  }
'';
}