{ config, lib, pkgs, luaOlder, buildLuarocksPackage, lua, fetchgit, ... }:

{
  imports =
    [
      ./hardware-configuration.nix
    ];

  # Git
  environment.systemPackages = [
    pkgs.git
  ];

  # Bootloader
  boot.loader.grub.enable = false;
  boot.loader.generic-extlinux-compatible.enable = true;
 
  # Enable flakes
  nix.settings.experimental-features = [ "nix-command" "flakes" ];

  # Networking
  networking.hostName = "nixos-server-reid";
  networking.wireless.environmentFile = "/run/secrets/wireless.env";
  networking.wireless = {
    enable = true;
    userControlled.enable = true;
    networks = {
      Ryan = {
        psk = "@password@";
      };
    };
  };

  # Set your time zone.
  time.timeZone = "America/Los_Angeles";

  # Editors
  # Editors - Nano
  programs.nano.syntaxHighlight = true;

  # Users  
  users.groups.dotfiles = {};

  # Users - reidlab
  users.users.reidlab = {
    isNormalUser = true;
    extraGroups = [ "wheel" "dotfiles" ];
    packages = with pkgs; [
      tree
    ];
  };

  # Services
  # Services - Openssh
  services.openssh = {
    enable = true;
    permitRootLogin = "no";
  };

  # Services - Nginx
  services.nginx = {
    package = pkgs.openresty;
    enable = true;

    recommendedTlsSettings = true;
    recommendedOptimisation = true;
    recommendedGzipSettings = true;
    recommendedProxySettings = true;
  };
  networking.firewall = {
    enable = true;
    allowedTCPPorts = [ 80 443 ];
  };
  services.nginx.commonHttpConfig = let
    lua-resty-template = pkgs.fetchFromGitHub {
      owner = "bungle";
      repo = "lua-resty-template";
      rev = "v2.0";
      sha256 = "1gpyjq3ms5ib8xiz6k9z97cjifx9zp1dyjkr58b2s034xksy2vb1";      
    };
    lua-resty-redis = pkgs.fetchFromGitHub {
      owner = "openresty";
      repo = "lua-resty-redis";
      rev = "v0.29";
      sha256 = "089ishx4482ybfsv10ig8h3cpsdw6rvgy0w874h1c7m1gk2fd7r9";
    };
  in ''
    # Lua path
    lua_package_path "/var/www/reidlab.online/lua/?.lua;;${lua-resty-template}/lib/?.lua;;${lua-resty-redis}/lib/?.lua;;";

    # Add HSTS header with preloading to HTTPS requests.
    # Adding this header to HTTP requests is discouraged
    map $scheme $hsts_header {
        https   "max-age=31536000; includeSubdomains; preload";
    }
    add_header Strict-Transport-Security $hsts_header;

    # Enable CSP for your services.
    # add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
    # ^ this above is breaking forgejo

    # Minimize information leaked to other domains
    add_header 'Referrer-Policy' 'origin-when-cross-origin';

    # Disable embedding as a frame
    add_header X-Frame-Options DENY;

    # Prevent injection of code in other mime types (XSS Attacks)
    add_header X-Content-Type-Options nosniff;

    # Enable XSS protection of the browser.
    # May be unnecessary when CSP is configured properly (see above)
    add_header X-XSS-Protection "1; mode=block";

    # This might create errors
    proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
  '';
  services.nginx.virtualHosts."reidlab.online" = {
    forceSSL = true;
    enableACME = true;
    root = "/var/www/reidlab.online/public";
    extraConfig = ''
      error_page 404 /errors/404.html;
      error_page 403 /errors/403.html;
      error_page 500 /errors/500.html;
      location = /errors/404.html { root /var/www/reidlab.online/public/; internal; }
      location = /errors/403.html { root /var/www/reidlab.online/public/; internal; }
      location = /errors/500.html { root /var/www/reidlab.online/public/; internal; }
      location / {
        try_files $uri @main;
      }

      location /chat {
        access_by_lua_file /var/www/reidlab.online/lua/chat.lua;
      }

      location @main {
        content_by_lua '
            require("main").handle_request()
        ';
      }
    '';
  };

  # Services - Forgejo
  services.gitea = {
    enable = true;
    package = pkgs.forgejo;
    stateDir = "/var/lib/git.reidlab.online";
    appName = "Forgejo: reidlab.online git";
    database = {
      type = "postgres";
      name = "gitea";
    };
    settings = {
      "security" = {
        INSTALL_LOCK = true;
        PASSWORD_HASH_ALGO = "argon2";
        PASSWORD_CHECK_PWN = true;
      };
      "ui.meta" = {
        AUTHOR = "reidlab";
        DESCRIPTION = "reidlab's git instance";
      };
      "server" = {
        DOMAIN = "git.reidlab.online";
        HTTP_PORT = 3000;
        ROOT_URL = "https://git.reidlab.online/";
      };
      "repository" = {
        DEFAULT_BRANCH = "main";
      };
      "picture" = {
        DISABLE_GRAVATAR = false;
        ENABLE_FEDERATED_AVATAR = true;
      };
      "service" = {
        ENABLE_CAPTCHA = false;
        REGISTER_EMAIL_CONFIRM = false;
        DEFAULT_KEEP_EMAIL_PRIVATE = true;
        DEFAULT_ENABLE_TIMETRACKING = true;
#        DISABLE_REGISTRATION = true;
      };
    };
  };
  services.nginx.virtualHosts."git.reidlab.online" = {
    forceSSL = true;
    enableACME = true;
    locations."/".extraConfig = ''
      proxy_pass "http://127.0.0.1:3000";
    '';
  };

  # Services - Postgres
  services.postgresql.enable = true;

  # Services - Redis
  services.redis.enable = true;

  # Security
  security = {
    protectKernelImage = true;
  };

  security.acme = {
    acceptTerms = true;
    email = "reidlab325@gmail.com";
  };

  # https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion
  system.stateVersion = "23.11"; # Did you read the comment?
}