# Do not modify this file!  It was generated by `nixos-generate-config`
# and may be overwritten by future invocations.  Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, modulesPath, ... }:

{
  imports =
    [
      (modulesPath + "/installer/scan/not-detected.nix")
    ];

  networking.hostId = "ce196a02";
  networking.hostName = "telperion";
  boot = {
    initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" ];
    initrd.kernelModules = [ ];
    kernelModules = [ "kvm-intel" ];
    extraModulePackages = [ ];
  };
  fileSystems = {
    "/" = {
      device = "zroot/root";
      fsType = "zfs";
    };

    "/nix" = {
      device = "zroot/nix";
      fsType = "zfs";
    };

    "/var" = {
      device = "zroot/var";
      fsType = "zfs";
    };

    "/home" = {
      device = "zroot/home";
      fsType = "zfs";
    };
  };

  swapDevices = [ ];

  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
  # Until I can figure out why the tftp port is not opening, disable the firewall.
  networking.firewall.enable = false;

  sops = {
    # Mounts unencrypted sops values at /run/secrets/rndc_keys accessible by root only by default.
    secrets = {
      "bind/rndc-keys/externaldns" = {
        owner = config.users.users.named.name;
        inherit (config.users.users.named) group;
        sopsFile = ./secrets.sops.yaml;
      };
      "bind/zones/jahanson.tech" = {
        owner = config.users.users.named.name;
        inherit (config.users.users.named) group;
        sopsFile = ./secrets.sops.yaml;
      };
      "1password-credentials.json" = {
        mode = "0444";
        sopsFile = ./secrets.sops.yaml;
      };
    };
  };

  # System settings and services.
  mySystem = {
    purpose = "Production";
    system = {
      motd.networkInterfaces = [ "enp2s0" "wlp3s0" ];
      resticBackup = {
        local.enable = false;
        remote.enable = false;
        local.noWarning = true;
        remote.noWarning = true;
      };
    };

    services = {
      podman.enable = true;

      onepassword-connect = {
        enable = true;
        credentialsFile = config.sops.secrets."1password-credentials.json".path;
      };

      bind = {
        enable = true;
        extraConfig = import ./config/bind.nix { inherit config; };
      };

      haproxy = {
        enable = true;
        config = import ./config/haproxy.nix { inherit config; };
        tcpPorts = [ 6443 6444 50000 ];
      };

      matchbox = {
        enable = true;
        # /var/lib/matchbox/{profiles,groups,ignition,cloud,generic}
        dataPath = "/opt/talbox/data";
        # /var/lib/matchbox/assets
        assetPath = "/opt/talbox/assets";
      };

      dnsmasq = {
        enable = true;
        tftpRoot = "/opt/talbox";
        bootAsset = "http://10.1.1.57:8086/boot.ipxe";
      };
    };
  };
}