{ config, lib, pkgs, sops, ... }:

{
  imports = [ # Include the results of the hardware scan.
    ./hardware-configuration.nix
    ../../modules/common.nix
    ../../modules/networkd-base.nix
  ];

  boot.loader.grub.enable = false;
  boot.loader.generic-extlinux-compatible.enable = true;
  boot.loader.timeout = 1;
  boot.tmp.cleanOnBoot = true;
  networking = {
    hostName = "orangepihole"; # Define your hostname.
  };
  systemd.network.networks."40-end0" = {
    matchConfig.Name = "end0";
    address = [ "10.42.69.2/24" "fd72:3dd5:21ae:3c97::2/64" ];
    dns = [ "10.42.69.2" "fd72:3dd5:21ae:3c97::2" ];
    domains = [ "icanttype.org" ];
    gateway = [ "10.42.69.1" ];
    networkConfig.DHCPServer = true;
    dhcpServerConfig = {
      PoolOffset = 150;
      EmitDNS = true;
      DNS = "10.42.69.2";
      EmitRouter = true;
      Router = "10.42.69.1";
      SendOption = [ "15:string:icanttype.org" "119:string:icanttype.org" ];
    };
    networkConfig.IPv6SendRA = true;
    ipv6SendRAConfig.RouterLifetimeSec = 0;
    ipv6SendRAConfig.EmitDNS = false;
    ipv6Prefixes = [{ ipv6PrefixConfig.Prefix = "fd72:3dd5:21ae:3c97::/64"; }];
  };
  zramSwap.enable = true;
  swapDevices = [{
    device = "/persist/swapfile";
    size = 1024;
  }];
  services = {
    unbound = {
      enable = true;
      localControlSocketPath = "/var/lib/unbound/control.sock";
      settings = {
        server = {
          do-ip6 = "no";
          qname-minimisation = "yes";
          interface = [ "end0" ];
          access-control = [ "10.0.0.0/8 allow" "fc::/7 allow" ];
        };
        include = [ "/etc/unbound/ads.conf" "${./unbound-local.conf}" ];
      };
    };
    journald.storage = "volatile";
  };

  systemd = {
    services.adblock = {
      startAt = "daily";
      postStop = "systemctl try-reload-or-restart unbound";
      path = with pkgs; [ gawk wget ];
      script = ''
        	wget -nv -O - https://raw.githubusercontent.com/hagezi/dns-blocklists/main/unbound/tif.blacklist.conf > /tmp/new.conf
        	echo 'local-zone: "iogames.space." always_nxdomain' >> /tmp/new.conf
        	echo 'local-zone: "taming.io." always_nxdomain' >> /tmp/new.conf
                awk '!seen[$0]++' /tmp/new.conf > /etc/unbound/ads.conf
                rm /tmp/new.conf
      '';
    };
  };

  environment = {
    systemPackages = with pkgs; [
      vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.
      wget
    ];
    persistence."/persist" = {
      hideMounts = true;
      directories = [ "/var/lib/nixos" "/var/lib/systemd" "/tmp" ];
      files = [
        "/etc/machine-id"
        "/etc/adjtime"
        "/etc/ssh/ssh_host_rsa_key"
        "/etc/ssh/ssh_host_rsa_key.pub"
        "/etc/ssh/ssh_host_ed25519_key"
        "/etc/ssh/ssh_host_ed25519_key.pub"
        "/etc/unbound/ads.conf"
      ];
    };
  };

  networking.firewall = {
    allowedUDPPorts = [ 53 67 68 ];
    allowedTCPPorts = [ 53 ];
  };

  system.stateVersion = "23.11"; # Did you read the comment?
  sops.secrets."nixremote/sshkey" = { };
  nix.buildMachines = [{
    hostName = "zeus";
    systems = [ "x86_64-linux" "aarch64-linux" ];
    protocol = "ssh-ng";
    sshKey = config.sops.secrets."nixremote/sshkey".path;
    sshUser = "nixremote";
    supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ];
  }];
  programs.ssh.extraConfig = ''
    Host zeus
    User nixremote
    StrictHostKeyChecking accept-new
    IdentitiesOnly yes
    IdentityFile ${config.sops.secrets."nixremote/sshkey".path}
  '';
  nix.distributedBuilds = true;
  nix.settings.max-jobs = 0;
}