{ config, lib, pkgs, ... }:

with lib;

let
  tvpkgs = import ../pkgs { inherit pkgs; };
in

{
  krebs.build.host = config.krebs.hosts.wu;
  krebs.build.user = config.krebs.users.tv;

  krebs.build.target = "root@wu";

  krebs.build.deps = {
    nixpkgs = {
      url = https://github.com/NixOS/nixpkgs;
      rev = "9d5508d85c33b8fb22d79dde6176792eac2c2696";
    };
    secrets = {
      url = "/home/tv/secrets/${config.krebs.build.host.name}";
    };
    stockholm = {
      url = toString ../..;
    };
  };

  imports = [
    ../configs/w110er.nix
    ../configs/base.nix
    ../configs/consul-client.nix
    ../configs/exim-retiolum.nix
    ../configs/git.nix
    ../configs/mail-client.nix
    ../configs/xserver.nix
    ../configs/synaptics.nix # TODO w110er if xserver is enabled
    ../configs/urlwatch.nix
    {
      environment.systemPackages = with pkgs; [

        # stockholm
        git
        gnumake
        parallel
        tvpkgs.genid
        tvpkgs.hashPassword
        tvpkgs.lentil
        (pkgs.writeScriptBin "ff" ''
          #! ${pkgs.bash}/bin/bash
          exec sudo -u ff -i <<EOF
          exec ${pkgs.firefoxWrapper}/bin/firefox $(printf " %q" "$@")
          EOF
        '')
        (pkgs.writeScriptBin "im" ''
          #! ${pkgs.bash}/bin/bash
          export PATH=${makeSearchPath "bin" (with pkgs; [
            tmux
            gnugrep
            weechat
          ])}
          if tmux list-sessions -F\#S | grep -q '^im''$'; then
            exec tmux attach -t im
          else
            exec tmux new -s im weechat
          fi
        '')

        # root
        cryptsetup
        ntp # ntpate

        # tv
        bc
        bind # dig
        file
        gitAndTools.qgit
        gnupg21
        haskellPackages.hledger
        htop
        jq
        manpages
        mkpasswd
        mpv
        netcat
        nix-repl
        nmap
        p7zip
        pavucontrol
        posix_man_pages
        qrencode
        sxiv
        texLive
        tmux
        tvpkgs.dic
        zathura

        #ack
        #apache-httpd
        #ascii
        #emacs
        #es
        #esniper
        #gcc
        #gptfdisk
        #graphviz
        #haskellPackages.cabal2nix
        #haskellPackages.ghc
        #haskellPackages.shake
        #hdparm
        #i7z
        #iftop
        #imagemagick
        #inotifyTools
        #iodine
        #iotop
        #lshw
        #lsof
        #minicom
        #mtools
        #ncmpc
        #neovim
        #nethogs
        #nix-prefetch-scripts #cvs bug
        #openssl
        #openswan
        #parted
        #perl
        #powertop
        #ppp
        #proot
        #pythonPackages.arandr
        #pythonPackages.youtube-dl
        #racket
        #rxvt_unicode-with-plugins
        #scrot
        #sec
        #silver-searcher
        #sloccount
        #smartmontools
        #socat
        #sshpass
        #strongswan
        #sysdig
        #sysstat
        #tcpdump
        #tlsdate
        #unetbootin
        #utillinuxCurses
        #wvdial
        #xdotool
        #xkill
        #xl2tpd
        #xsel
      ];
    }
    {
      tv.iptables = {
        enable = true;
        input-internet-accept-new-tcp = [
          "ssh"
          "http"
          "tinc"
          "smtp"
        ];
      };
    }
    {
      krebs.nginx = {
        enable = true;
        servers.default.locations = [
          (nameValuePair "~ ^/~(.+?)(/.*)?\$" ''
            alias /home/$1/public_html$2;
          '')
        ];
      };
    }
    {
      krebs.retiolum = {
        enable = true;
        connectTo = [
          "gum"
          "pigstarter"
        ];
      };
    }
    {
      users.extraGroups = {
        tv.gid = 1337;
        slaves.gid = 3799582008; # genid slaves
      };

      users.extraUsers =
        mapAttrs (name: user@{ extraGroups ? [], ... }: user // {
          inherit name;
          home = "/home/${name}";
          createHome = true;
          useDefaultShell = true;
          group = "tv";
          extraGroups = ["slaves"] ++ extraGroups;
        }) {
          ff = {
            uid = 13378001;
            extraGroups = [
              "audio"
              "video"
            ];
          };

          cr = {
            uid = 13378002;
            extraGroups = [
              "audio"
              "video"
              "bumblebee"
            ];
          };

          fa = {
            uid = 2300001;
          };

          rl = {
            uid = 2300002;
          };

          tief = {
            uid = 2300702;
          };

          btc-bitcoind = {
            uid = 2301001;
          };

          btc-electrum = {
            uid = 2301002;
          };

          ltc-litecoind = {
            uid = 2301101;
          };

          eth = {
            uid = 2302001;
          };

          emse-hsdb = {
            uid = 4200101;
          };

          wine = {
            uid = 13370400;
            extraGroups = [
              "audio"
              "video"
              "bumblebee"
            ];
          };

          df = {
            uid = 13370401;
            extraGroups = [
              "audio"
              "video"
              "bumblebee"
            ];
          };

          xr = {
            uid = 13370061;
            extraGroups = [
              "audio"
              "video"
            ];
          };

          "23" = {
            uid = 13370023;
          };

          electrum = {
            uid = 13370102;
          };

          skype = {
            uid = 6660001;
            extraGroups = [
              "audio"
            ];
          };

          onion = {
            uid = 6660010;
          };

          zalora = {
            uid = 1000301;
            extraGroups = [
              "audio"
              # TODO remove vboxusers when hardening is active
              "vboxusers"
              "video"
            ];
          };
        };

      security.sudo.extraConfig =
        let
          isSlave = u: elem "slaves" u.extraGroups;
          masterOf = u: u.group;
          slaves = filterAttrs (_: isSlave) config.users.extraUsers;
          toSudoers = u: "${masterOf u} ALL=(${u.name}) NOPASSWD: ALL";
        in
        concatMapStringsSep "\n" toSudoers (attrValues slaves);
    }
  ];

  boot.initrd.luks = {
    cryptoModules = [ "aes" "sha512" "xts" ];
    devices = [
      { name = "home"; device = "/dev/vg840/enchome"; preLVM = false; }
    ];
  };

  fileSystems = {
    "/" = {
      device = "/dev/mapper/vg840-wuroot";
      fsType = "btrfs";
      options = "defaults,noatime,ssd,compress=lzo";
    };
    "/home" = {
      device = "/dev/mapper/home";
      options = "defaults,noatime,ssd,compress=lzo";
    };
    "/boot" = {
      device = "/dev/sda1";
    };
    "/tmp" = {
      device = "tmpfs";
      fsType = "tmpfs";
      options = "nosuid,nodev,noatime";
    };
  };

  nixpkgs.config.chromium.enablePepperFlash = true;

  nixpkgs.config.allowUnfree = true;
  hardware.bumblebee.enable = true;
  hardware.bumblebee.group = "video";
  hardware.enableAllFirmware = true;
  hardware.opengl.driSupport32Bit = true;
  hardware.pulseaudio.enable = true;

  environment.systemPackages = with pkgs; [
    xlibs.fontschumachermisc
    slock
    ethtool
    #firefoxWrapper # with plugins
    #chromiumDevWrapper
    tinc
    iptables
    #jack2
  ];

  security.setuidPrograms = [
    "sendmail"  # for cron
    "slock"
  ];

  services.printing.enable = true;

  services.journald.extraConfig = ''
    SystemMaxUse=1G
    RuntimeMaxUse=128M
  '';

  # see tmpfiles.d(5)
  systemd.tmpfiles.rules = [
    "d /tmp 1777 root root - -" # does this work with mounted /tmp?
  ];

  virtualisation.libvirtd.enable = true;

  networking.extraHosts = ''
    192.168.1.1 wrt.gg23 wrt
    192.168.1.11 mors.gg23
    192.168.1.12 uriel.gg23
    192.168.1.23 raspi.gg23 raspi
    192.168.1.37 wu.gg23
    192.168.1.111 nomic.gg23
    192.168.1.124 schnabeldrucker.gg23 schnabeldrucker
  '';

  services.udev.extraRules = ''
    SUBSYSTEM=="net", ATTR{address}=="00:90:f5:da:aa:c3", NAME="en0"
    SUBSYSTEM=="net", ATTR{address}=="a0:88:b4:1b:ae:6c", NAME="wl0"

    # for jack
    KERNEL=="rtc0", GROUP="audio"
    KERNEL=="hpet", GROUP="audio"
  '';

  services.bitlbee.enable = true;
  services.tor.client.enable = true;
  services.tor.enable = true;
  services.virtualboxHost.enable = true;

  # TODO w110er if xserver is enabled
  services.xserver.vaapiDrivers = [ pkgs.vaapiIntel ];
}