# Edit this configuration file to define what should be installed on
# your system.  Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running ‘nixos-help’).

{ config, pkgs, ... }:

{
  imports =
    [ # Include the results of the hardware scan.
      ./hardware-configuration.nix
      #./identity.nix
      ./mailserver.nix
      ./nextcloud.nix
      ./authentik.nix
      ./forgejo.nix
      ./backups.nix
    ];

  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;

  networking.hostName = "szalotka";
  networking.domain = "cebula.camp";

  networking.useDHCP = false;
  networking.interfaces.enp1s0 = {
    ipv4.addresses = [
      { address = "135.181.235.222"; prefixLength = 29; }
    ];
    ipv6.addresses = [
      { address = "2a01:4f9:4a:4319:1337::14"; prefixLength = 80; }
    ];
  };
  networking.defaultGateway = "135.181.235.217";
  networking.defaultGateway6 = "2a01:4f9:4a:4319:1337::1";
  networking.nameservers = [
    "8.8.8.8"
  ];

  # Define a user account. Don't forget to set a password with ‘passwd’.
  # users.users.jane = {
  #   isNormalUser = true;
  #   extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
  # };

  users.users.root = {
    openssh.authorizedKeys.keys = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG599UildOrAq+LIOQjKqtGMwjgjIxozI1jtQQRKHtCP q3k@mimeomia"
      "cert-authority ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFPt2EXhvAwjMZ+5j8P0dCMaUdXeUQePeTv8tBdHXNly mewp"
      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDQb3YQoiYFZLKwvHYKbu1bMqzNeDCAszQhAe1+QI5SLDOotclyY/vFmOReZOsmyMFl71G2d7d+FbYNusUnNNjTxRYQ021tVc+RkMdLJaORRURmQfEFEKbai6QSFTwErXzuoIzyEPK0lbsQuGgqT9WaVnRzHJ2Q/4+qQbxAS34PuR5NqEkmn4G6LMo3OyJ5mwPkCj9lsqz4BcxRaMWFO3mNcwGDfSW+sqgc3E8N6LKrTpZq3ke7xacpQmcG5DU9VO+2QVPdltl9jWbs3gXjmF92YRNOuKPVfAOZBBsp8JOznfx8s9wDgs7RwPmDpjIAJEyoABqW5hlXfqRbTnfnMvuR informatic@InformaticPC"
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOccFr7RFddSB5kdvYCIdCyKgD3X79mC90cMImqziTd9 radex@radpro"
    ];
  };
  users.groups.ldap-access = {};

  # users.ldap = {
  #   enable = true;
  #   loginPam = true;
  #   nsswitch = true;
  #   base = "ou=users,dc=cebula,dc=camp";
  #   server = "ldap://10.88.0.1:389/";
  #   timeLimit = 1;
  #   daemon.enable = true;
  #   bind = {
  #     distinguishedName = "cn=ldap-access,ou=users,dc=cebula,dc=camp";
  #     passwordFile = "/var/secrets/ldap-access";
  #   };
  # };

  services.sssd = {
    enable = true;
    sshAuthorizedKeysIntegration = true;
    config = let 
      baseDN = "dc=cebula,dc=camp";
      serviceAccount = "ldap-access";
      allowedGroup = "cn=orga-infra,ou=groups,${baseDN}";
    in ''
      [nss]
      filter_groups = root
      filter_users = root
      reconnection_retries = 3

      [sssd]
      config_file_version = 2
      reconnection_retries = 3
      domains = LDAP
      services = nss, pam, ssh

      [pam]
      reconnection_retries = 3

      [domain/LDAP]
      cache_credentials = True
      id_provider = ldap
      chpass_provider = ldap
      auth_provider = ldap
      access_provider = ldap

      ldap_uri = ldaps://10.88.0.1/
      ldap_tls_reqcert = allow

      ldap_schema = rfc2307bis
      ldap_search_base = ${baseDN}
      ldap_user_search_base = ou=users,${baseDN}
      ldap_group_search_base = ${baseDN}
      ldap_user_ssh_public_key = sshPublicKey

      ldap_user_object_class = user
      ldap_user_name = cn
      ldap_group_object_class = group
      ldap_group_name = cn

      ldap_default_bind_dn = cn=${serviceAccount},ou=users,${baseDN}
      ldap_default_authtok = $LDAP_DEFAULT_AUTHTOK
      ldap_access_filter = memberOf=${allowedGroup}
    '';
    environmentFile = "/var/secrets/sssd";
  };
  security.pam.services.sshd.makeHomeDir = true;
  security.sudo.extraRules = [{
    groups = ["orga-infra"];
    commands = [{
      command = "ALL";
      options = [ "NOPASSWD" ];
    }];
  }];

  environment.variables.EDITOR = "vim";
  environment.systemPackages = with pkgs; [
    wget rxvt-unicode-unwrapped.terminfo htop dstat
    git

    ((vim_configurable.override { features = "normal"; }).customize {
      name = "vim";
      vimrcConfig.packages.myVimPackage = with pkgs.vimPlugins; {
        start = [ vim-nix nerdtree ];
      };
      vimrcConfig.customRC = ''
        syntax on
        set expandtab
        set tabstop=4
        set autoindent
        set shiftwidth=4
        set bs=2

        autocmd FileType nix setlocal shiftwidth=2 tabstop=2
      '';
    })
  ];

  programs.mtr.enable = true;

  services.journald.extraConfig = ''
    SystemMaxUse=2G
  '';
  services.openssh = {
    enable = true;
    ports = [ 2222 ];
   };
  services.nginx = {
    enable = true;
    recommendedProxySettings = true;
  };
  security.acme = {
    # TODO(q3k): change to @cebula.camp address.
    defaults.email = "q3k@q3k.org";
    acceptTerms = true;
  };
  # Limit nscd memory usage, as it sometimes just blows up and the OOMkiller
  # sucks at picking it up.
  systemd.services.nscd.serviceConfig.MemoryMax = "256M";


  # Open ports in the firewall.
  networking.firewall.allowedTCPPorts = [ 
    80 443 # http
    2222 # host ssh
  ];
  # networking.firewall.allowedUDPPorts = [ ... ];
  # Or disable the firewall altogether.
  # networking.firewall.enable = false;

  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions
  # on your system were taken. It‘s perfectly fine and recommended to leave
  # this value at the release version of the first install of this system.
  # Before changing this value read the documentation for this option
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
  system.stateVersion = "20.09"; # Did you read the comment?

}