######################
#                    #
# HandlerOne - m710q #
#                    #
######################
{
  config,
  inputs,
  lib,
  pkgs,
  ...
}:
{
  imports = lib.flatten [
    # Hardware
    ./hardware-configuration.nix

    # FIXME(TODO): Turn this into it's own backup module
    ./backup.nix

    # Disks
    inputs.disko.nixosModules.disko
    (lib.custom.relativeToRoot "hosts/common/disks/btrfs-disk.nix")
    {
      _module.args = {
        disk = "/dev/nvme0n1";
        withSwap = true;
        swapSize = "8";
      };
    }

    # Misc

    (map lib.custom.relativeToRoot [
      # Required configs
      "hosts/common/core"

      # Optional configs
      "hosts/common/optional/keyd.nix"
      "hosts/common/optional/podman.nix"

      # Quadlets
      "modules/quadlets"
      "modules/quadlets/booklore"

      # Hosted services
      "modules/services/mealie"
      "modules/services/actualbudget"
      "modules/services/frigate"
      "modules/services/homepage"
      "modules/services/mqtt"
      "modules/services/lubelogger"
      "modules/services/trilium"
      "modules/services/fail2ban"
      "modules/services/mesh/client.nix"
      "modules/services/auth-provider"
      "modules/services/paperless"
      "modules/services/matrix"
      "modules/services/freshrss"
      "modules/services/forgejo"
      "modules/services/flamesites"
    ])
  ];

  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";

  hostSpec = {
    hostName = "HandlerOne";
    persistFolder = "/persist";
  };

  networking = {
    networkmanager.enable = true;
    enableIPv6 = false;
    firewall = {
      allowedTCPPorts = [
        80
        443
      ];
    };
  };

  boot.loader = {
    systemd-boot.enable = true;
    efi = {
      canTouchEfiVariables = true;
    };
  };

  sops = {
    secrets = {
      "caddy/oidc/client" = { };
      "caddy/oidc/secret" = { };
    };
    templates."caddyserver-env".content = ''
      POCKETID_CLIENT_ID=${config.sops.placeholder."caddy/oidc/client"}
      POCKETID_CLIENT_SECRET=${config.sops.placeholder."caddy/oidc/secret"}
    '';
  };

  services.caddy = {
    email = "infrastructure@wanderingcrow.net";
    acmeCA = "https://acme-v02.api.letsencrypt.org/directory";
    package = pkgs.caddy.withPlugins {
      plugins = [ "github.com/greenpau/caddy-security@v1.1.31" ];
      hash = "sha256-65Z20N16/jHOtVb85HLx0z4nHEuG9POEV7D5QXOGYQM=";
    };
    environmentFile = config.sops.templates."caddyserver-env".path;
    logFormat = ''
      level DEBUG
    '';
    globalConfig = ''
      order authenticate before respond
      security {
        oauth identity provider generic {
          delay_start 3
          realm generic
          driver generic
          client_id {env.POCKETID_CLIENT_ID}
          client_secret {env.POCKETID_CLIENT_SECRET}
          scopes openid email profile groups
          base_auth_url https://auth.wanderingcrow.net
          metadata_url https://auth.wanderingcrow.net/.well-known/openid-configuration
        }

        authentication portal myportal {
          crypto default token lifetime 21600
          enable identity provider generic
          cookie insecure off
        }

        authorization policy frigate {
          set auth url /caddy-security/oauth2/generic
          allow roles frigate
          inject headers with claims
          inject header Remote-User from name
          inject header Remote-Role from groups
        }
      }
    '';
  };
}