{ config, pkgs, ... }:

{
  imports =
    [
      ./hardware-configuration.nix
    ];

  boot.loader.grub.enable = true;
  networking.hostName = "knazarovcom";
  boot.loader.grub.device = "/dev/vda";


  users.users.knazarov = {
    isNormalUser = true;
    extraGroups = [ "wheel" ];
    openssh.authorizedKeys.keys = [
      "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIJkgpPDojl4RtsuFLIsHkH/19s3trYljdn/Jmbb3FCHNAAAABHNzaDo= knazarov@framework"
      "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIO7W7yDKxAj9u1hu3zsZMJW+0HUnA/C/rkbuzkQantkaAAAABHNzaDo= knazarov@mira"];
  };

  environment.systemPackages = with pkgs; [
    vim
    sops
    goaccess
  ];

  services.openssh.enable = true;
  services.openssh.settings = {
    PermitRootLogin = "no";
    PasswordAuthentication = false;
  };

  security.pam.enableSSHAgentAuth = true;
  security.sudo.wheelNeedsPassword = false;
  nix.settings.trusted-users = [ "@wheel" ];

  services.nginx = {
    enable = true;
    commonHttpConfig = ''
      map $http_user_agent $limit_bots {
        default 0;
        ~*(AhrefsBot|PetalBot|bingbot|gptbot|ZoominfoBot|BLEXBot|Bytespider) 1;
        ~*(DecompilationBot|Amazonbot|Barkrowler|SeznamBot|SemrushBot) 1;
        ~*(MJ12bot) 1;
      }
    '';
    virtualHosts = {
      "knazarov.com" = {
        enableACME = true;
        forceSSL = true;
        root = "${pkgs.knazarovcom}/srv/knazarov.com";

        locations."/.well-known/matrix/server" = {
          extraConfig = ''
            default_type application/json;
            return 200 '{ "m.server": "matrix.knazarov.com:443" }';
          '';
        };
        locations."/.well-known/matrix/client" = {
          extraConfig = ''
            default_type application/json;
            return 200 '{ "m.homeserver": { "base_url": "https://matrix.knazarov.com" } }';
            add_header "Access-Control-Allow-Origin" *;
          '';
        };
        locations."/" = {
          extraConfig = ''
            if ($limit_bots = 1) {
              return 403;
            }
          '';
        };
      };
      "vmatveeva.com" = {
        enableACME = true;
        forceSSL = true;
        root = "${pkgs.vmatveevacom}/srv/vmatveeva.com";
        locations."/" = {
          extraConfig = ''
            if ($limit_bots = 1) {
              return 403;
            }
          '';
        };
      };
      "matrix.knazarov.com" = {
        enableACME = true;
        forceSSL = true;
        locations."/_matrix" = {
          proxyPass = "http://127.0.0.1:8008";
        };
      };
    };
  };
  security.acme.acceptTerms = true;
  security.acme.certs = {
    "knazarov.com".email = "mail@knazarov.com";
    "vmatveeva.com".email = "mail@knazarov.com";
    "matrix.knazarov.com".email = "mail@knazarov.com";
  };

  services.dendrite = {
    enable = true;
    environmentFile = config.sops.secrets.matrix_registration_secret.path;
    settings = {
      global = {
        server_name = "knazarov.com";
        private_key = config.sops.secrets.matrix_key.path;
        jetstream = {
          storage_path = "/var/lib/dendrite/nats";
        };
      };
      client_api.registration_shared_secret = "$REGISTRATION_SHARED_SECRET";
    };
  };

  systemd.services.dendrite = {
    serviceConfig.SupplementaryGroups = [ config.users.groups.keys.name ];
  };

  sops.defaultSopsFile = ./secrets.yaml;
  sops.secrets = {
    example_key = {};
    matrix_key = {
      mode = "0440";
      group = config.users.groups.keys.name;
    };
    matrix_registration_secret = {
      mode = "0440";
      group = config.users.groups.keys.name;
    };
  };

  networking.firewall.allowedTCPPorts = [ 80 443 ];
  # networking.firewall.allowedUDPPorts = [ ... ];

  system.stateVersion = "23.05";
}