# common

{ inputs, outputs, lib, config, pkgs, ... }:

{
  nix = {
    package = pkgs.nixFlakes;
    extraOptions = ''
      experimental-features = nix-command flakes
      secret-key-files = /etc/nix/cache-priv-key.pem
    '';
    optimise.automatic = true;
    gc = {
      automatic = true;
      options = "--delete-older-than 30d";
    };
  };

  nixpkgs = {
    overlays = [
      outputs.overlays.additions
      outputs.overlays.modifications
    ];
    config.allowUnfree = true;
  };

  age.identityPaths = [
    "/mnt/persist/etc/ssh/ssh_host_ed25519_key"
    # "/mnt/persist/home/rilla/configs/age/identities/yk_nano"
    # "/mnt/persist/home/rilla/configs/age/identities/yk_nfc"
  ];

  age.secrets = with outputs.secrets; {
    root-passwordfile.file = user-passwordfiles.root;
    rilla-passwordfile.file = user-passwordfiles.rilla;
    cache-priv-key = {
      file = cache-priv-key;
      mode = "400";
      owner = "root";
      group = "root";
      path = "/etc/nix/cache-priv-key.pem";
    };
  };

  time.timeZone = "Europe/Madrid";

  # Select internationalisation properties.
  i18n.defaultLocale = "en_US.UTF-8";
  console = {
    font = "Lat2-Terminus16";
    keyMap = "us";
  };

  security = {
    doas = {
      enable = true;
      extraRules = [{
        groups = [ "wheel" ];
        keepEnv = true;
        noPass = true;
      }];
    };
    sudo.enable = false;
  };

  environment.systemPackages = with pkgs; [ git vim wget just ripgrep deploy-rs ];

  environment.etc = {
    user-ca-pub = {
      target = "/etc/ssh/user_ca.pub";
      source = ./user_ca.pub;
    };
  };

  services.openssh = {
    enable = true;
    settings = {
      PermitRootLogin = "no";
      PasswordAuthentication = false;
    };

    hostKeys = [{
      path = "/etc/ssh/ssh_host_ed25519_key";
      type = "ed25519";
    }];

    knownHosts = {
      "*.monotremata.xyz,10.*,narwhal,suricata,pikvm,caladan,fugu,lb,cuina,trantor,capibara,axolotl" =
        {
          certAuthority = true;
          publicKey =
            "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHperHwojXZeo3QWAu1f3kiCKeaHHSqBXJM6ZZEefxdd host_ca";
        };
    };

    extraConfig = ''
      HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub
      TrustedUserCAKeys /etc/ssh/user_ca.pub
    '';
  };

  users.mutableUsers = false;
  users.groups = {
    dags.gid = 506;
  };
  users.users = {

    root.passwordFile = config.age.secrets.root-passwordfile.path;

    rilla = {
      uid = 1000;
      isNormalUser = true;
      extraGroups = [ "wheel" ];
      passwordFile = config.age.secrets.rilla-passwordfile.path;
    };

    dags = {
      uid = 506;
      group = "dags";
      extraGroups = [ "wheel" ];
      createHome = false;
      isSystemUser = true;
      password = "*";
      useDefaultShell = true;
    };

  };
}