server-config/configuration.nix

{
  config,
  lib,
  pkgs,
  hostname,
  username,
  eth_interface,
  service_configs,
  ...
}:
{
  imports = [
    ./hardware.nix
    ./services/jellyfin.nix
    ./services/caddy.nix
    # ./services/quadlet.nix
    ./services/immich.nix
    ./services/gitea.nix
    ./services/minecraft.nix
    # ./services/soulseek.nix
    ./services/wg.nix
    ./services/qbittorrent.nix
    ./services/bitmagnet.nix
  ];

  systemd.targets = {
    sleep.enable = false;
    suspend.enable = false;
    hibernate.enable = false;
    hybrid-sleep.enable = false;
  };

  nix = {
    # optimize the store
    optimise.automatic = true;

    # enable flakes!
    settings = {
      experimental-features = [
        "nix-command"
        "flakes"
      ];
    };
  };

  # https://github.com/viperML/nh
  programs.nh = {
    enable = true;
    clean.enable = true;
    clean.extraArgs = "--keep-since 4d --keep 3";
  };

  boot = {
    kernelPackages = pkgs.linuxPackages_latest;

    supportedFilesystems = [ "zfs" ];
    zfs.extraPools = [ "tank" ];
    zfs.package = pkgs.zfsUnstable;

    loader = {
      # Use the systemd-boot EFI boot loader.
      systemd-boot.enable = true;
      efi.canTouchEfiVariables = true;

      # 1s timeout
      timeout = 1;
    };

    initrd = {
      compressor = "zstd";
    };

    # kernelModules = [
    #   # kernel module for case fan control
    #   "nct6775"
    # ];
  };

  environment.etc = {
    "issue".text = "";
  };

  # Set your time zone.
  time.timeZone = "America/New_York";

  # Enable the OpenSSH daemon.
  services.openssh = {
    enable = true;
    settings = {
      PasswordAuthentication = false;
      PermitRootLogin = "no";
    };
  };

  hardware.graphics = {
    enable = true;
    extraPackages = with pkgs; [
      vaapiVdpau
      intel-compute-runtime # OpenCL filter support (hardware tonemapping and subtitle burn-in)
      vpl-gpu-rt # QSV on 11th gen or newer
    ];
  };

  #fwupd for updating firmware
  services.fwupd = {
    enable = true;
    extraRemotes = [ "lvfs-testing" ];
  };

  environment.systemPackages = with pkgs; [
    helix
    nixfmt-rfc-style

    lm_sensors
    bottom
    htop

    borgbackup
    smartmontools

    nil

    ripgrep

    intel-gpu-tools

    tmux

    (pkgs.writeScriptBin "mc-console" ''
      #!/bin/sh
      ${pkgs.tmux}/bin/tmux -S /run/minecraft/${service_configs.minecraft.server_name}.sock attach
    '')

    (pkgs.writeScriptBin "disk-smart-test" ''
      #!/bin/sh
      set -e
      if [[ $EUID -ne 0 ]]; then
        echo "This command requires root."
        exit 2
      fi

      DISKS=$(${pkgs.coreutils}/bin/ls /dev/sd* | ${pkgs.gnugrep}/bin/grep -v "[0-9]$")
      for i in $DISKS; do
        ${pkgs.coreutils}/bin/echo -n "$i "
        ${pkgs.smartmontools}/bin/smartctl -a "$i" | ${pkgs.gnugrep}/bin/grep "SMART overall-health self-assessment test result:" | ${pkgs.coreutils}/bin/cut -d' ' -f6
      done
    '')

    flac
    (pkgs.writeScriptBin "reflac" (
      builtins.readFile (
        pkgs.fetchurl {
          url = "https://raw.githubusercontent.com/chungy/reflac/refs/heads/master/reflac";
          sha256 = "61c6cc8be3d276c6714e68b55e5de0e6491f50bbf195233073dbce14a1e278a7";
        }
      )
    ))
  ];

  services.zfs = {
    autoScrub.enable = true;
    trim.enable = true;
    autoSnapshot = {
      enable = true;
      frequent = 4; # 15-minutes
      hourly = 24;
      daily = 7;
      weekly = 4;
      monthly = 12;
    };
  };

  systemd.services.no-rgb =
    let
      no-rgb = pkgs.writeScriptBin "no-rgb" ''
        #!/bin/sh
        set -e

        NUM_DEVICES=$(${pkgs.openrgb}/bin/openrgb --noautoconnect --list-devices | ${pkgs.gnugrep}/bin/grep -E '^[0-9]+: ' | ${pkgs.coreutils}/bin/wc -l)

        for i in $(${pkgs.coreutils}/bin/seq 0 $(($NUM_DEVICES - 1))); do
          ${pkgs.openrgb}/bin/openrgb --noautoconnect --device $i --mode direct --color 000000
        done
      '';
    in
    {
      description = "disable rgb";
      serviceConfig = {
        ExecStart = "${no-rgb}/bin/no-rgb";
        Type = "oneshot";
      };
      wantedBy = [ "multi-user.target" ];
    };

  services.hardware.openrgb = {
    enable = true;
    package = pkgs.openrgb-with-all-plugins;
    motherboard = "amd";
  };

  services.udev.packages = [ pkgs.openrgb-with-all-plugins ];
  hardware.i2c.enable = true;

  networking = {
    nameservers = [
      "1.1.1.1"
      "9.9.9.9"
    ];

    hostName = hostname;
    hostId = "0f712d56";
    firewall.enable = true;
    useDHCP = false;
    enableIPv6 = false;

    interfaces.${eth_interface} = {
      ipv4.addresses = [
        {
          address = "10.1.1.102";
          prefixLength = 24;
        }
      ];
      ipv6.addresses = [
        {
          address = "2603:9001:3900:f005:1779:17ed:4698:6259";
          prefixLength = 64;
        }
      ];
    };
    defaultGateway = {
      address = "10.1.1.1";
      interface = eth_interface;
    };
  };

  virtualisation = {
    containers.enable = true;
    podman = {
      enable = true;

      # Required for containers under podman-compose to be able to talk to each other.
      defaultNetwork.settings.dns_enabled = true;
    };
  };

  users.users.${username} = {
    isNormalUser = true;
    extraGroups = [
      "wheel"
      "video"
      "render"

      "minecraft"
    ];
    hashedPasswordFile = "/etc/nixos/secrets/hashedPass";

    openssh.authorizedKeys.keys = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO4jL6gYOunUlUtPvGdML0cpbKSsPNqQ1jit4E7U1RyH" # laptop
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBJjT5QZ3zRDb+V6Em20EYpSEgPW5e/U+06uQGJdraxi" # desktop
    ];
  };

  # https://nixos.wiki/wiki/Fish#Setting_fish_as_your_shell
  programs.fish.enable = true;
  programs.bash = {
    interactiveShellInit = ''
      if [[ $(${pkgs.procps}/bin/ps --no-header --pid=$PPID --format=comm) != "fish" && -z ''${BASH_EXECUTION_STRING} ]]
      then
        shopt -q login_shell && LOGIN_OPTION='--login' || LOGIN_OPTION=""
        exec ${pkgs.fish}/bin/fish $LOGIN_OPTION
      fi
    '';
  };

  security = {
    #lets use doas and not sudo!
    doas.enable = true;
    sudo.enable = false;
    # Configure doas
    doas.extraRules = [
      {
        users = [ username ];
        keepEnv = true;
        persist = true;
      }
    ];
  };

  services.murmur = {
    enable = true;
    openFirewall = true;
    welcometext = "meow meow meow meow meow :3 xd";
    password = builtins.readFile ./secrets/murmur_password;
  };

  services.postgresql = {
    enable = true;
    package = pkgs.postgresql_16;
    dataDir = "/tank/services/sql";
  };

  system.stateVersion = "24.05";
}