{ config, lib, pkgs, ... }:

{
  imports =
    [ # Include the results of the hardware scan.
      ./hardware-configuration.nix
      ../../users/users.nix
      ../../modules/system/default.nix
      ../../modules/homelab/default.nix
    ];

  modules = {
    system = {
      ssh.enable = true;
      backups.enable = true;
      backups.repo = "/holocron/backups";
      sops.enable = true;
      docker.enable = true;
      syncthing.enable = true;
      tailscale.enable = true;
      vpns.enable = true;
      vpns.openvpn_pia_mexico = true;
      nvidia.enable = true;
    };
    homelab = {
      zfs.enable = true;
      smb.enable = true;
      nfs.enable = true;
      nginx-proxy.enable = true;
    };
    services = {
      jellyfin.enable = true;
      vaultwarden.enable = true;
      gitea.enable = true;
      prowlarr.enable = true;
      radarr.enable = true;
      sonarr.enable = true;
      flaresolverr.enable = true;
    };
  };

  # enable users
  users = {
    blake.enable = true;
  };

  users.groups.media = { gid = 700; };

  # testing!
  boot.plymouth.enable = false;
  boot.initrd.systemd.enable = true;  # optional, for nicer initrd logs


  # use the systemd-boot EFI boot loader.
  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;

  # setup hostname and networking stack
  networking.hostName = "snowbelle"; # Define your hostname.
  networking.networkmanager.enable = true;  # Easiest to use and most distros use this by default.
  networking.hostId = "3e6e7055";

  # set timezone
  time.timeZone = "America/Chicago";

  # define shell
  programs.zsh.enable = true;
  users.defaultUserShell = pkgs.zsh;

  # package install list
  environment.systemPackages = with pkgs; [
    vim 
    lf
    rsync
    wget
    git
    iptables
    nettools
    neofetch
    btop
    age
  ];


  # allow proprietary packages
  nixpkgs.config.allowUnfree = true;

  # ld fix
  programs.nix-ld.enable = true;
  programs.nix-ld.libraries = with pkgs; [
    # Add any missing dynamic libraries for unpackaged 
    # programs here, NOT in environment.systemPackages
  ];

  # enable flakes
  nix.settings.experimental-features = [ "nix-command" "flakes" ];

  # Open ports in the firewall.
  networking.firewall.allowedTCPPorts = [
    80      # set - http
    111     # set - portmapper for nfs
    139     # set - smb
    443     # set - https
    445     # set - cifs
    1198
    1883    # set - mqtt
    2049    # set - nfs
    2222    # srv - syncthing
    7100    # srv - jellyfin
    7101    # srv - audiobookshelf
    7102    # srv - yacreader
    7103    # srv - qbittorrent
    7104    # srv - prowlarr
    7105    # srv - flaresolverr
    7106    # srv - bazarr
    7107    # srv - sonarr
    7108    # srv - radarr
    5701    # srv - archivebox
    7502    # srv - kiwix
    7567    # srv - gitea ssh
    7700    # srv - glance
    7701    # srv - vaultwarden
    7702    # srv - immich
    7703    # srv - gitea
    7704    # srv - hass
    7705    # srv - zigbee2mqtt
    7901    # srv - uptime kuma
    25777   # srv - minecraft
    25565   #        ^  ^  ^
    25566   #        |  |  |
    25567   #        |  |  |
  ];

  networking.firewall.allowedUDPPorts = [ 51820 ];
  # Or disable the firewall altogether.
  networking.firewall.enable = true;

  system.stateVersion = "25.05"; # Did you read the comment?

}