{ config, lib, pkgs, inputs, ... }:

{
  imports =
    [
      ./hardware-configuration.nix
      ../modules/nix-cache.nix
      ../modules/users/origami.nix
      ../modules/sops.nix
    ];

  # BIOS + GRUB, 安装到 MBR
  boot.loader.grub = {
    enable = true;
    device = "/dev/sda";
    configurationLimit = 10;
  };

  networking.hostName = "oparic-local-dev";

  # 静态 IP
  networking.interfaces.ens18.ipv4.addresses = [{
    address = "192.168.2.22";
    prefixLength = 24;
  }];
  networking.defaultGateway = "192.168.2.1";
  networking.nameservers = [ "119.29.29.29" "223.5.5.5" "114.114.114.114" ];

  time.timeZone = "Asia/Shanghai";

  nix.settings = {
    experimental-features = [ "nix-command" "flakes" ];
    trusted-users = [ "origami" ];
    auto-optimise-store = true;
  };

  nix.gc = {
    automatic = true;
    dates = "weekly";
    options = "--delete-older-than 1w";
  };

  environment.systemPackages = with pkgs; [
    git
    vim
    wget
    curl

    zip
    xz
    unzip
    p7zip
    zstd
    gnutar

    file
    which
    tree
    gnused
    gawk
    gnupg
    pciutils
    usbutils

    home-manager
    nix-output-monitor
  ];

  i18n = {
    defaultLocale = "C.UTF-8";
    extraLocaleSettings = {
      LC_MESSAGES = "en_US.UTF-8";
      LC_TIME = "C.UTF-8";
      LC_CTYPE = "zh_CN.UTF-8";
    };
  };

  # PVE guest agent
  services.qemuGuest.enable = true;

  # 用户
  users.groups.origami.gid = 1000;
  users.users.origami.extraGroups = [ "wheel" ];
  security.sudo.wheelNeedsPassword = false;

  services.openssh.enable = true;

  # Mihomo 代理
  services.mihomo = {
    enable = true;
    configFile = "/etc/mihomo/config.yaml";
    tunMode = true;
  };

  # 密钥管理: 这是对外机器
  sops.defaultSopsFile = ../../secrets/hosts/oparic-local-dev.yaml;
  sops.age.keyFile = "/var/lib/sops-nix/key.txt";

  sops.secrets.caddy_cloudflare_api_key = {
    owner = "caddy";
  };
  # Caddy 反向代理 + Cloudflare DNS challenge 通配符证书
  services.caddy = {
    enable = true;
    package = pkgs.caddy.withPlugins {
      plugins = [ "github.com/caddy-dns/cloudflare@v0.2.4" ];
      hash = "sha256-VHm9POg2KixGsMsAcfFFDMK9x6niRJ1iJV9kkSwkSjc=";
    };
    virtualHosts."*.testing.oparic.luo.ee" = {
      extraConfig = ''
        tls {
          dns cloudflare {file.${config.sops.secrets.caddy_cloudflare_api_key.path}}
          propagation_timeout -1
          propagation_delay 30s
        }
        reverse_proxy 192.168.2.22:40000
      '';
    };
  };
  networking.firewall.allowedTCPPorts = [ 80 443 40000 ];

  networking.nat = {
    enable = true;
    internalInterfaces = [ "ve-o4dev" ];
    externalInterface = "ens18";
    forwardPorts = [{
      sourcePort = 40000;
      destination = "10.233.1.2:80";
      proto = "tcp";
    }];
  };

  # NixOS container: o4dev
  containers.o4dev = {
    autoStart = true;
    privateNetwork = true;
    hostAddress = "10.233.1.1";
    localAddress = "10.233.1.2";
    bindMounts."/data" = {
      hostPath = "/home/origami/data";
      isReadOnly = false;
    };
    forwardPorts = [{
      containerPort = 80;
      hostPort = 40000;
      protocol = "tcp";
    }];
    path = inputs.container-flake.nixosConfigurations.o4dev.config.system.build.toplevel;
  };

  system.stateVersion = "23.11";
}