{ pkgs, lib, ... }:
with lib; {

  boot = {
    growPartition = true;
    kernelParams = [ "console=ttyS0" "panic=1" "boot.panic_on_fail" ];
    initrd.kernelModules = [ "virtio_scsi" ];
    kernelModules = [ "virtio_pci" "virtio_net" ];
    loader = {
      grub.device = "/dev/vda";
      timeout = 0;
      grub.configurationLimit = 0;
    };
  };

  console = {
    font = "Lat2-Terminus16";
    keyMap = "it";
  };

  environment = {
    pathsToLink = [ "/share/zsh" ];
    systemPackages =
      builtins.attrValues { inherit (pkgs) helix kitty tmux vim; };
  };

  i18n.defaultLocale = "it_IT.UTF-8";

  programs = {
    gnupg.agent = {
      enable = true;
      enableSSHSupport = true;
    };
    zsh = {
      enable = true;
      syntaxHighlighting.enable = true;
    };
  };

  networking.hostName = "baldur";

  time.timeZone = "Europe/Rome";

  services = {
    avahi = {
      enable = true;
      openFirewall = true;
      interfaces = [ "ztmjfdwjkp" ];
      nssmdns = true;
      publish = {
        enable = true;
        addresses = true;
        domain = true;
        userServices = true;
        workstation = true;
      };
      extraServiceFiles = {
        ssh = "${pkgs.avahi}/etc/avahi/services/ssh.service";
      };
    };
    fail2ban = {
      enable = true;
      bantime-increment.enable = true;
      jails = {
        "nginx-botsearch" = ''
          filter = nginx-botsearch
          action =  nftables-multiport[name=HTTP, port="http,https"]
          logpath = /var/log/nginx/error.log*
          backend = auto
        '';
        "nginx-http-auth" = ''
          filter = nginx-http-auth
          action =  nftables-multiport[name=HTTP, port="http,https"]
          logpath = /var/log/nginx/error.log*
          backend = auto
        '';
      };
    };
    nginx = {
      enable = true;
      recommendedProxySettings = true;
      recommendedOptimisation = true;
      recommendedGzipSettings = true;
      recommendedTlsSettings = true;
      virtualHosts =
        let
          ssl = {
            enableACME = true;
            forceSSL = true;
          };
          loki = "172.23.254.55";
        in
        {
          "unimi.bertof.net" = ssl // {
            locations."/".extraConfig =
              "rewrite ^/(.*)$ https://homes.di.unimi.it/berto/$1 redirect ;";
          };
          "home-assistant.bertof.net" = ssl // {
            locations."/" = {
              proxyPass = "http://${loki}:8123/";
              proxyWebsockets = true;
            };
            extraConfig = ''
              proxy_pass_header Authorization;
              proxy_buffering off;
            '';
          };
          "radarr.bertof.net" = ssl // {
            locations."/" = {
              proxyPass = "http://${loki}:7878/";
              proxyWebsockets = true;
            };
          };
          "sonarr.bertof.net" = ssl // {
            locations."/" = {
              proxyPass = "http://${loki}:8989/";
              proxyWebsockets = true;
            };
          };
          "jellyfin.bertof.net" = ssl // {
            locations."/" = {
              proxyPass = "http://${loki}:8096/";
              proxyWebsockets = true;
            };
          };
        };
    };
    openssh = {
      enable = true;
      openFirewall = true;
    };
  };

  security.acme = {
    acceptTerms = true;
    defaults.email = "filippo.berto95@gmail.com";
  };

  users.users.bertof = {
    isNormalUser = true;
    extraGroups = [
      "audio"
      "input"
      "docker"
      "libvirtd"
      "network"
      "networkmanager"
      "usb"
      "video"
      "wheel"
    ];
    shell = pkgs.zsh;
  };

  networking.firewall = {
    enable = true;
    allowPing = true;
    allowedTCPPorts = [ 8000 80 443 ];
    # allowedUDPPorts = [ ];
    # extraCommands = ''iptables -t raw -A OUTPUT -p udp -m udp --dport 137 -j CT --helper netbios-ns'';
  };

  system.stateVersion = "22.11";
}