server-config/configuration.nix

{
  config,
  lib,
  pkgs,
  hostname,
  username,
  eth_interface,
  service_configs,
  options,
  ...
}:
{
  imports = [
    ./hardware.nix
    ./zfs.nix

    ./services/postgresql.nix
    ./services/jellyfin.nix
    ./services/caddy.nix
    ./services/immich.nix
    ./services/gitea.nix
    ./services/minecraft.nix

    ./services/wg.nix
    # ./services/qbittorrent.nix
    ./services/bitmagnet.nix

    # ./services/matrix.nix
    # ./services/owntracks.nix
    ./services/soulseek.nix

    # ./services/llama-cpp.nix
  ];

  systemd.targets = {
    sleep.enable = false;
    suspend.enable = false;
    hibernate.enable = false;
    hybrid-sleep.enable = false;
  };

  # srvos enables vim, i don't want to use vim, disable it here:
  programs.vim =
    {
      defaultEditor = false;
    }
    // lib.optionalAttrs (options.programs.vim ? enable) {
      enable = false;
    };

  powerManagement = {
    powertop.enable = true;
    enable = true;
    cpuFreqGovernor = "powersave";
  };

  # https://github.com/NixOS/nixpkgs/issues/101459#issuecomment-758306434
  security.pam.loginLimits = [
    {
      domain = "*";
      type = "soft";
      item = "nofile";
      value = "4096";
    }
  ];

  nix = {
    # optimize the store
    optimise.automatic = true;

    # enable flakes!
    settings = {
      experimental-features = [
        "nix-command"
        "flakes"
      ];
    };
  };

  boot = {
    # 6.12 LTS until 2026
    kernelPackages = pkgs.linuxPackages_6_12_hardened;

    loader = {
      # Use the systemd-boot EFI boot loader.
      efi.canTouchEfiVariables = true;

      # 1s timeout
      timeout = 1;
    };

    initrd = {
      compressor = "zstd";
    };

    loader.systemd-boot.enable = lib.mkForce false;

    lanzaboote = {
      enable = true;
      # needed to be in `/etc/secureboot` for sbctl to work
      pkiBundle = "/etc/secureboot";
    };
  };

  system.activationScripts = {
    # extract all my secureboot keys
    "secureboot-keys".text = ''
      #!/bin/sh
      rm -fr ${config.boot.lanzaboote.pkiBundle} || true
      mkdir -p ${config.boot.lanzaboote.pkiBundle}
      ${pkgs.gnutar}/bin/tar xf ${./secrets/secureboot.tar} -C ${config.boot.lanzaboote.pkiBundle}
      chown -R root:wheel ${config.boot.lanzaboote.pkiBundle}
      chmod -R 500 ${config.boot.lanzaboote.pkiBundle}
    '';
  };

  environment.etc = {
    "issue".text = "";
  };

  # Set your time zone.
  time.timeZone = "America/New_York";

  # Enable the OpenSSH daemon.
  services.openssh = {
    enable = true;
    settings = {
      AllowUsers = [
        username
        "root"
      ];
      PasswordAuthentication = false;
      PermitRootLogin = "yes"; # for deploying configs
    };
  };

  hardware.graphics = {
    enable = true;
    extraPackages = with pkgs; [
      vaapiVdpau
      intel-compute-runtime # OpenCL filter support (hardware tonemapping and subtitle burn-in)
      vpl-gpu-rt # QSV on 11th gen or newer
    ];
  };

  #fwupd for updating firmware
  services.fwupd = {
    enable = true;
    extraRemotes = [ "lvfs-testing" ];
  };

  environment.systemPackages = with pkgs; [
    helix
    lm_sensors
    bottom
    htop

    doas-sudo-shim
    neofetch

    borgbackup
    smartmontools

    ripgrep

    intel-gpu-tools
    iotop
    iftop

    tmux

    wget

    powertop

    lsof

    (pkgs.writeShellApplication {
      name = "disk-smart-test";
      runtimeInputs = with pkgs; [
        gnugrep
        coreutils
        smartmontools
      ];

      # i gotta fix that
      excludeShellChecks = [ "SC2010" ];

      text = ''
        #!/bin/sh
        set -e
        if [[ $EUID -ne 0 ]]; then
          echo "This command requires root."
          exit 2
        fi

        DISKS=$(ls /dev/sd* | grep -v "[0-9]$")
        for i in $DISKS; do
          echo -n "$i "
          smartctl -a "$i" | grep "SMART overall-health self-assessment test result:" | cut -d' ' -f6
        done
      '';
    })

    (pkgs.writeShellApplication {
      name = "reflac";
      runtimeInputs = with pkgs; [ flac ];
      excludeShellChecks = [ "2086" ];

      text = builtins.readFile (
        pkgs.fetchurl {
          url = "https://raw.githubusercontent.com/chungy/reflac/refs/heads/master/reflac";
          sha256 = "61c6cc8be3d276c6714e68b55e5de0e6491f50bbf195233073dbce14a1e278a7";
        }
      );
    })

    pfetch-rs

    sbctl
  ];

  systemd.services.no-rgb =
    let
      no-rgb = (
        pkgs.writeShellApplication {
          name = "no-rgb";
          runtimeInputs = with pkgs; [
            openrgb
            coreutils
            gnugrep
          ];

          text = ''
            #!/bin/sh
            set -e

            NUM_DEVICES=$(openrgb --noautoconnect --list-devices | grep -cE '^[0-9]+: ')

            for i in $(seq 0 $((NUM_DEVICES - 1))); do
              openrgb --noautoconnect --device "$i" --mode direct --color 000000
            done
          '';
        }
      );
    in
    {
      description = "disable rgb";
      serviceConfig = {
        ExecStart = "${no-rgb}/bin/${no-rgb.name}";
        Type = "oneshot";
      };
      wantedBy = [ "multi-user.target" ];
    };

  services.hardware.openrgb = {
    enable = true;
    package = pkgs.openrgb-with-all-plugins;
    motherboard = "amd";
  };

  services.udev.packages = [ pkgs.openrgb-with-all-plugins ];
  hardware.i2c.enable = true;

  networking = {
    nameservers = [
      "1.1.1.1"
      "9.9.9.9"
    ];

    hostName = hostname;
    hostId = "0f712d56";
    firewall.enable = true;
    useDHCP = false;
    enableIPv6 = false;

    interfaces.${eth_interface} = {
      ipv4.addresses = [
        {
          address = "10.1.1.102";
          prefixLength = 24;
        }
      ];
      ipv6.addresses = [
        {
          address = "fe80::9e6b:ff:fe4d:abb";
          prefixLength = 64;
        }
      ];
    };
    defaultGateway = {
      address = "10.1.1.1";
      interface = eth_interface;
    };
    # TODO! fix this
    # defaultGateway6 = {
    #   address = "fe80::/64";
    #   interface = eth_interface;
    # };
  };

  users.groups.${service_configs.torrent_group} = { };

  users.users.${username} = {
    isNormalUser = true;
    extraGroups = [
      "wheel"
      "video"
      "render"
      service_configs.torrent_group
    ];

    hashedPasswordFile = builtins.toString ./secrets/hashedPass;

    openssh.authorizedKeys.keys = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO4jL6gYOunUlUtPvGdML0cpbKSsPNqQ1jit4E7U1RyH" # laptop
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBJjT5QZ3zRDb+V6Em20EYpSEgPW5e/U+06uQGJdraxi" # desktop
    ];
  };

  # used for deploying configs to server
  users.users.root.openssh.authorizedKeys.keys =
    config.users.users.${username}.openssh.authorizedKeys.keys;

  # https://nixos.wiki/wiki/Fish#Setting_fish_as_your_shell
  programs.fish.enable = true;
  programs.bash = {
    interactiveShellInit = ''
      if [[ $(${pkgs.procps}/bin/ps --no-header --pid=$PPID --format=comm) != "fish" && -z ''${BASH_EXECUTION_STRING} ]]
      then
        shopt -q login_shell && LOGIN_OPTION='--login' || LOGIN_OPTION=""
        exec ${pkgs.fish}/bin/fish $LOGIN_OPTION
      fi
    '';
  };

  security = {
    #lets use doas and not sudo!
    doas.enable = true;
    sudo.enable = false;
    # Configure doas
    doas.extraRules = [
      {
        users = [ username ];
        keepEnv = true;
        persist = true;
      }
    ];
  };

  services.murmur = {
    enable = true;
    openFirewall = true;
    welcometext = "meow meow meow meow meow :3 xd";
    password = builtins.readFile ./secrets/murmur_password;
  };

  # services.botamusique = {
  #   enable = true;
  #   settings = {
  #     server = {port = config.services.murmur.port;
  #       password = config.services.murmur.password;
  #     };
  #   };
  # };

  # systemd.tmpfiles.rules = [
  #   "d /tank/music 775 ${username} users"
  # ];

  system.stateVersion = "24.11";
}