{ pkgs, lib, ... }:
with lib; {

  boot = {
    growPartition = true;
    kernelParams = [ "console=ttyS0" "panic=1" "boot.panic_on_fail" ];
    initrd.kernelModules = [ "virtio_scsi" ];
    kernelModules = [ "virtio_pci" "virtio_net" ];
    loader = {
      grub.device = "/dev/vda";
      timeout = 0;
      grub.configurationLimit = 0;
    };
  };

  # boot = {
  #   # binfmt.emulatedSystems = [ "armv7l-linux" "aarch64-linux" ];
  #   # kernelPackages = pkgs.linuxPackages_5_18;
  #   # loader = {
  #   #   systemd-boot.enable = true;
  #   #   efi.canTouchEfiVariables = true;
  #   # };
  # };

  console = {
    font = "Lat2-Terminus16";
    keyMap = "it";
  };

  environment = {
    pathsToLink = [ "/share/zsh" ];
    # systemPackages = with pkgs; [ kakoune tmux vim ];
  };

  i18n.defaultLocale = "it_IT.UTF-8";

  programs = {
    # dconf.enable = true;
    gnupg.agent = {
      enable = true;
      enableSSHSupport = true;
    };
    zsh = {
      enable = true;
      syntaxHighlighting.enable = true;
    };
  };

  networking = {
    hostName = "baldur";
    # interfaces = { eno1.useDHCP = true; wlp7s0.useDHCP = true; };
    # networkmanager.enable = true;
    # useDHCP = false;
  };

  time.timeZone = "Europe/Rome";

  services = {
    # avahi = {
    #   enable = true;
    #   openFirewall = true;
    #   nssmdns = true;
    #   publish = {
    #     enable = true;
    #     addresses = true;
    #     domain = true;
    #     userServices = true;
    #     workstation = true;
    #   };
    #   extraServiceFiles = {
    #     ssh = "${pkgs.avahi}/etc/avahi/services/ssh.service";
    #   };
    # };
    # bazarr = { enable = true; openFirewall = true; group = "users"; };
    # blueman.enable = true;
    # dbus.packages = with pkgs; [ dconf ];
    # fail2ban = {
    #   enable = true;
    #   bantime-increment.enable = true;
    # };
    # gnome.gnome-keyring.enable = true;
    # gvfs = { enable = true; package = mkForce pkgs.gnome3.gvfs; };
    # jackett = { enable = true; openFirewall = true; group = "users"; };
    # jellyfin = { enable = true; openFirewall = true; group = "users"; };
    # logind.lidSwitch = "ignore";
    # node-red = { enable = true; openFirewall = true; withNpmAndGcc = true; };
    openssh = {
      enable = true;
      openFirewall = true;
      permitRootLogin = "prohibit-password";
      passwordAuthentication = false;
    };
    # plex = { enable = true; openFirewall = true; group = "users"; };
    # power-profiles-daemon.enable = true;
    # radarr = { enable = true; openFirewall = true; group = "users"; };
    # samba-wsdd = { enable = true; discovery = true; };
    # smartd = { enable = true; notifications.x11.enable = true; };
    # sonarr = { enable = true; openFirewall = true; group = "users"; };
    # thermald.enable = true;
    # transmission = {
    #   enable = true;
    #   openFirewall = true;
    #   group = "users";
    #   settings = {
    #     download-dir = "/mnt/raid0/condiviso/Scaricati/Torrent";
    #     incomplete-dir = "/mnt/raid0/condiviso/Scaricati/Torrent/.incomplete";
    #   };
    # };
    # xserver = {
    #   # enable = true;
    #   videoDrivers = [ "nvidia" ];
    #   # layout = "it";
    #   # xkbOptions = "eurosign:e;";
    #   # libinput.enable = true;
    # };

    # zoneminder = {
    #   enable = true;
    #   openFirewall = true;
    #   cameras = 3;
    #   hostname = "0.0.0.0";
    #   database = { username = "zoneminder"; createLocally = true; };
    # };

    # mysql = {
    #   # enable = true;
    #   ensureUsers = [{ name = "bertof"; ensurePermissions = { "*.*" = "ALL PRIVILEGES"; }; }];
    # };
  };

  users.users.bertof = {
    isNormalUser = true;
    extraGroups = [
      "audio"
      "input"
      "docker"
      "libvirtd"
      "network"
      "networkmanager"
      "usb"
      "video"
      "wheel"
    ];
    shell = pkgs.zsh;
  };

  # services.snapper = {
  #   configs =
  #     let
  #       commonExtraConfig = ''
  #         ALLOW_USERS="bertof"
  #         TIMELINE_CREATE=yes
  #         TIMELINE_CLEANUP=yes
  #       '';
  #     in
  #     {
  #       bertof_raid0 = {
  #         subvolume = "/mnt/raid0/bertof";
  #         extraConfig = ''
  #           ALLOW_USERS="bertof"
  #           ${commonExtraConfig}
  #         '';
  #       };
  #       tiziano_raid0 = {
  #         subvolume = "/mnt/raid0/tiziano";
  #         extraConfig = ''
  #           ALLOW_USERS="tiziano"
  #           ${commonExtraConfig}
  #         '';
  #       };
  #       condiviso_raid0 = {
  #         subvolume = "/mnt/raid0/condiviso";
  #         extraConfig = ''
  #           ALLOW_USERS="bertof tiziano"
  #           ${commonExtraConfig}
  #         '';
  #       };
  #     };
  # };

  # systemd.packages = with pkgs; [ syncthing ];
  # systemd.services =
  #   let
  #     common = {
  #       documentation = [ "man:syncthing(1)" ];
  #       startLimitIntervalSec = 60;
  #       startLimitBurst = 4;
  #       after = [ "network.target" ];
  #       environment = { STNORESTART = "yes"; STNOUPGRADE = "yes"; };
  #       wantedBy = [ "default.target" ];
  #       serviceConfig = {
  #         Restart = "on-failure";
  #         RestartSec = 1;
  #         SuccessExitStatus = "3 4";
  #         RestartForceExitStatus = "3 4";

  #         Group = config.ids.gids.users;
  #         MemoryDenyWriteExecute = true;
  #         NoNewPrivileges = true;
  #         PrivateDevices = true;
  #         PrivateMounts = true;
  #         PrivateTmp = true;
  #         PrivateUsers = true;
  #         ProtectControlGroups = true;
  #         ProtectHostname = true;
  #         ProtectKernelModules = true;
  #         ProtectKernelTunables = true;
  #         RestrictNamespaces = true;
  #         RestrictRealtime = true;
  #         RestrictSUIDSGID = true;
  #         CapabilityBoundingSet = [ "~CAP_SYS_PTRACE" "~CAP_SYS_ADMIN" "~CAP_SETGID" "~CAP_SETUID" "~CAP_SETPCAP" "~CAP_SYS_TIME" "~CAP_KILL" ];
  #       };
  #     };
  #   in
  #   {
  #     syncthing-bertof = recursiveUpdate common {
  #       description = "Syncthing service bertof";
  #       serviceConfig = { User = "bertof"; ExecStart = "${pkgs.syncthing}/bin/syncthing -no-browser -gui-address=0.0.0.0:8384 -home=/mnt/raid0/bertof/Syncthing/.config"; };
  #     };
  #     syncthing-tiziano = recursiveUpdate common {
  #       description = "Syncthing service tiziano";
  #       serviceConfig = { User = "tiziano"; ExecStart = "${pkgs.syncthing}/bin/syncthing -no-browser -gui-address=0.0.0.0:8385 -home=/mnt/raid0/tiziano/Syncthing/.config"; };
  #     };
  #   };

  # networking.firewall = {
  #   enable = true;
  #   allowPing = true;
  #   allowedTCPPorts = [
  #     445 # SAMBA
  #     139 # SAMBA
  #     5357 # SAMBA-WSDD
  #     8123 # HOME ASSISTANT
  #     8384 # SYNCTHING
  #     8385 # SYNCTHING
  #   ];
  #   allowedUDPPorts = [
  #     137 # SYNCTHING
  #     138 # SYNCTHING
  #     3702 # SAMBA-WSDD
  #   ];
  #   extraCommands = ''iptables -t raw -A OUTPUT -p udp -m udp --dport 137 -j CT --helper netbios-ns'';
  # };

  # virtualisation = {
  #   docker.enable = true;
  #   kvmgt.enable = true;
  #   libvirtd.enable = true;
  #   podman.enable = true;
  #   # virtualbox.host.enable = true;

  #   oci-containers.containers = {
  #     hass = {
  #       image = "ghcr.io/home-assistant/home-assistant:stable";
  #       environment = {
  #         TZ = "Europe/Rome";
  #       };
  #       extraOptions = [ "--privileged" "--network=host" "--pull=always" ];
  #       ports = [ "8123:8123" ];
  #       volumes = [
  #         "/var/lib/hass:/config"
  #         "/mnt/raid0/condiviso:/media"
  #       ];
  #     };
  #   };
  # };

  security.sudo.extraConfig = ''
    Defaults pwfeedback
  '';

  # nixpkgs.config.allowUnfree = true;

  # system.autoUpgrade = {
  #   enable = true;
  #   allowReboot = true;
  #   flags = [
  #     "-I"
  #     "nixos-config=/home/bertof/.config/nixpkgs/nixos/loki.nix"
  #     "--upgrade"
  #   ];
  # };

  system.stateVersion = "22.11";
}