{ config, lib, stable_pkgs, unstable_pkgs, ... }:

let
  pkgs = stable_pkgs.x86_64;
  unstable = unstable_pkgs.x86_64;
in
{
  imports =
    [ # Include the results of the hardware scan.
      ./hardware-configuration.nix
      ../../users/users.nix
      ../../modules/system
    ];

  modules = {
    system = {
      tailscale.enable = true;
    };
  };


  # use the systemd-boot EFI boot loader.
  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;

  # setup hostname and networking stack
  networking.hostName = "vaniville"; # Define your hostname.
  networking.networkmanager.enable = true;  # Easiest to use and most distros use this by default.

  # set timezone
  time.timeZone = "America/Chicago";

  # define shell
  programs.zsh.enable = true;
  users.defaultUserShell = pkgs.zsh;

  # package install list
  environment.systemPackages = with pkgs; [
    vim 
    rsync
    wget
    git
    iptables
    nettools
    neofetch
    btop
  ];

  # allow proprietary packages
  nixpkgs.config.allowUnfree = true;

  # enable flakes
  nix.settings.experimental-features = [ "nix-command" "flakes" ];

  # Open ports in the firewall.
  networking.firewall.enable = true;
  networking.firewall.extraCommands = ''
    HOMELAB_IP="10.10.0.10"         # destination address
    PUBLIC_IF="eth0"                # vps public interface
    TAILSCALE_IF="tailscale0"       # tailscale interface
    
    # flush rules (avoid dupes)
    iptables -F
    iptables -t nat -F
    iptables -t mangle -F
    iptables -X
    
    # set defualt policies
    iptables -P INPUT DROP
    iptables -P FORWARD DROP
    iptables -P OUTPUT ACCEPT
    
    # allow loopback
    iptables -A INPUT -i lo -j ACCEPT
    iptables -A OUTPUT -o lo -j ACCEPT
    
    # allow replys
    iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
    iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
    
    # allow vps outbound
    iptables -A OUTPUT -o eth0 -j ACCEPT
    
    # general settings
    sysctl -w net.ipv4.ip_forward=1                                 # enable ip forwarding
    iptables -t nat -A POSTROUTING -o $TAILSCALE_IF -j MASQUERADE   # postrouting masquerade (outgoing packets appear to come from vps tailscale ip)
    iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT    # allows pings
    iptables -A INPUT -p tcp --dport 22 -j ACCEPT                   # allows ssh
    
    
    # --- minecraft ---
    # port: 25777 tcp & udp
    # prerouting:
    iptables -t nat -A PREROUTING -i $PUBLIC_IF -p tcp --dport 25777 -j DNAT --to-destination $HOMELAB_IP:25777     # tcp packets on port 25777
    iptables -t nat -A PREROUTING -i $PUBLIC_IF -p udp --dport 25777 -j DNAT --to-destination $HOMELAB_IP:25777     # udp packets on port 25777
    # forwards:
    iptables -A FORWARD -i $PUBLIC_IF -o $TAILSCALE_IF -p tcp --dport 25777 -j ACCEPT       # vps -> homelab: tcp on port 25777
    iptables -A FORWARD -i $PUBLIC_IF -o $TAILSCALE_IF -p udp --dport 25777 -j ACCEPT       # vps -> homelab: udp on port 25777
    iptables -A FORWARD -i $TAILSCALE_IF -o $PUBLIC_IF -p tcp --sport 25777 -j ACCEPT       # homelab -> vps: tcp on port 25777
    iptables -A FORWARD -i $TAILSCALE_IF -o $PUBLIC_IF -p udp --sport 25777 -j ACCEPT       # homelab -> vps: udp on port 25777
    
    # --- reverse proxy ---
    # ports: 80 & 443 tcp
    # prerouting:
    iptables -t nat -A PREROUTING -i $PUBLIC_IF -p tcp --dport 80  -j DNAT --to-destination $HOMELAB_IP:80          # tcp packets on port 80
    iptables -t nat -A PREROUTING -i $PUBLIC_IF -p tcp --dport 443 -j DNAT --to-destination $HOMELAB_IP:443         # tcp packets on port 443
    # forwards:
    iptables -A FORWARD -i $PUBLIC_IF -o $TAILSCALE_IF -p tcp --dport 80 -j ACCEPT          # vps -> homelab: tcp on port 80
    iptables -A FORWARD -i $TAILSCALE_IF -o $PUBLIC_IF -p tcp --sport 80 -j ACCEPT          # homelab -> vps: tcp on port 80
    iptables -A FORWARD -i $PUBLIC_IF -o $TAILSCALE_IF -p tcp --dport 443 -j ACCEPT         # vps -> homelab: tcp on port 443
    iptables -A FORWARD -i $TAILSCALE_IF -o $PUBLIC_IF -p tcp --sport 443 -j ACCEPT         # homelab -> vps: tcp on port 443
    
    # --- gitea ssh ---
    # port: 7567 tcp
    # prerouting:
    iptables -t nat -A PREROUTING -i $PUBLIC_IF -p tcp --dport 7567 -j DNAT --to-destination $HOMELAB_IP:7567       # tcp packets on port 7567
    # forwards:
    iptables -A FORWARD -i $PUBLIC_IF -o $TAILSCALE_IF -p tcp --dport 7567 -j ACCEPT        # vps -> homelab: tcp on port 7567
    iptables -A FORWARD -i $TAILSCALE_IF -o $PUBLIC_IF -p tcp --sport 7567 -j ACCEPT        # homelab -> vps: tcp on port 7567
    
    # --- rustdesk ---
    # ports 2114-2119
    # hbbs ports
    # 21115 tcp (nat type test)
    iptables -t nat -A PREROUTING -i $PUBLIC_IF -p tcp --dport 21115 -j DNAT --to-destination $HOMELAB_IP:21115     # tcp packets on port 21115
    iptables -A FORWARD -i $PUBLIC_IF -o $TAILSCALE_IF -p tcp --dport 21115 -j ACCEPT                               # vps -> homelab: tcp on port 21115
    iptables -A FORWARD -i $TAILSCALE_IF -o $PUBLIC_IF -p tcp --sport 21115 -j ACCEPT                               # homelab -> vps: tcp on port 21115
    # 21116 tcp&udp (id registration, heartbeat, TCP hole punching)
    iptables -t nat -A PREROUTING -i $PUBLIC_IF -p tcp --dport 21116 -j DNAT --to-destination $HOMELAB_IP:21116     # tcp packets on port 21116
    iptables -A FORWARD -i $PUBLIC_IF -o $TAILSCALE_IF -p tcp --dport 21116 -j ACCEPT                               # vps -> homelab: tcp on port 21116
    iptables -A FORWARD -i $TAILSCALE_IF -o $PUBLIC_IF -p tcp --sport 21116 -j ACCEPT                               # homelab -> vps: tcp on port 21116
    iptables -t nat -A PREROUTING -i $PUBLIC_IF -p udp --dport 21116 -j DNAT --to-destination $HOMELAB_IP:21116     # udp packets on port 21116
    iptables -A FORWARD -i $PUBLIC_IF -o $TAILSCALE_IF -p udp --dport 21116 -j ACCEPT                               # vps -> homelab: tcp on port 21116
    iptables -A FORWARD -i $TAILSCALE_IF -o $PUBLIC_IF -p udp --sport 21116 -j ACCEPT                               # homelab -> vps: tcp on port 21116
    # 21118 tcp (web client support)
    iptables -t nat -A PREROUTING -i $PUBLIC_IF -p tcp --dport 21118 -j DNAT --to-destination $HOMELAB_IP:21118     # tcp packets on port 21118
    iptables -A FORWARD -i $PUBLIC_IF -o $TAILSCALE_IF -p tcp --dport 21118 -j ACCEPT                               # vps -> homelab: tcp on port 21118
    iptables -A FORWARD -i $TAILSCALE_IF -o $PUBLIC_IF -p tcp --sport 21118 -j ACCEPT                               # homelab -> vps: tcp on port 21118
    # hbbr ports
    # 21117 tcp (relay services)
    iptables -t nat -A PREROUTING -i $PUBLIC_IF -p tcp --dport 21117 -j DNAT --to-destination $HOMELAB_IP:21117     # tcp packets on port 21117
    iptables -A FORWARD -i $PUBLIC_IF -o $TAILSCALE_IF -p tcp --dport 21117 -j ACCEPT                               # vps -> homelab: tcp on port 21117
    iptables -A FORWARD -i $TAILSCALE_IF -o $PUBLIC_IF -p tcp --sport 21117 -j ACCEPT                               # homelab -> vps: tcp on port 21117
    # 21119 tcp (web client support)
    iptables -t nat -A PREROUTING -i $PUBLIC_IF -p tcp --dport 21119 -j DNAT --to-destination $HOMELAB_IP:21119     # tcp packets on port 21119
    iptables -A FORWARD -i $PUBLIC_IF -o $TAILSCALE_IF -p tcp --dport 21119 -j ACCEPT                               # vps -> homelab: tcp on port 21119
    iptables -A FORWARD -i $TAILSCALE_IF -o $PUBLIC_IF -p tcp --sport 21119 -j ACCEPT
  '';


  system.stateVersion = "25.05"; # Did you read the comment?

}