{ config, lib, pkgs, ... }@args:

{

  imports = [
    ./services
    ./programs

    ./bluetooth.nix
    ./fonts.nix
    ./mobile-device.nix
  ];

  deployment = {
    buildOnTarget = lib.mkDefault false;
    targetUser    = lib.mkDefault "root";
    targetHost    = lib.mkDefault config.networking.fqdn;
    targetPort    = lib.mkDefault (lib.head config.services.openssh.ports);
  };

  networking.hostName = lib.mkDefault args.name;
  networking.domain   = lib.mkDefault "ctu.cx";

  i18n.defaultLocale    = "en_US.UTF-8";
  i18n.supportedLocales = ["de_DE.UTF-8/UTF-8" "en_US.UTF-8/UTF-8"];

  nix = {
    settings.trusted-users       = [ "@wheel" ];
    settings.auto-optimise-store = true;
    optimise     = {
      automatic = lib.mkDefault true;
      dates     = [ "12:00" "15:00" "18:00" "21:00" ];
    };
    gc           = {
      automatic = lib.mkDefault true;
      options   = "--delete-older-than 3d";
      dates     = "18:00";
    };
  };

  systemd.services.nginx.onFailure = [ "email-notify@%i.service" ];

  services = {
    timesyncd.enable = true;
    vnstat.enable    = true;
    vnstati.enable   = (lib.mkDefault (if (config.networking.primaryIP != "") || (config.networking.primaryIP4 != "") then true else false));
    fstrim.enable    = true;

    journald.extraConfig = "SystemMaxUse=1G";

    nginx = {
      recommendedGzipSettings  = true;
      recommendedOptimisation  = true;
      recommendedProxySettings = true;
      recommendedTlsSettings   = true;
      commonHttpConfig = ''
        server_names_hash_bucket_size 64;
        charset utf-8;

        access_log off;
      '';
      virtualHosts.default = {
        default   = true;
        rejectSSL = true;
      };
    };

    openssh = {
      enable                 = true;
      startWhenNeeded        = true;
      ports                  = [ 22 ];
      extraConfig            = "StreamLocalBindUnlink yes";
      settings = {
        PasswordAuthentication = false;
        PermitRootLogin        = "without-password";
      };
    };
  };

  security = {
    acme.acceptTerms    = true;
    acme.defaults.email = "letsencrypt@ctu.cx";
  };

  age.secrets.leah-systempassword.file = ../../secrets/passwords/leah.age;

  users.mutableUsers = false;
  users.users = {

    root.openssh.authorizedKeys.keys = [
      #yubikey gpg
      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDb2eZ2ymt+Zsf0eTlmjW2jPdS013lbde1+EGkgu6bz9lVTR8aawshF2HcoaWp5a5dJr3SKyihDM8hbWSYB3qyTHihNGyCArqSvAtZRw301ailRVHGqiwUITTfcg1533TtmWvlJZgOIFM1VvSAfdueDRRRzbygmn749fS9nhUTDzLtjqX5LvhpqhzsD+eOqPrV6Ne8E1e42JxQb5AJPY1gj9mk6eAarvtEHQYEe+/hp9ERjtCdN5DfuOJnqfaKS0ytPj/NbQskbX/TMgeUVio11iC2NbXsnAtzMmtbLX4mxlDQrR6aZmU/rHQ4aeJqI/Tj2rrF46icri7s0tnnit1OjT5PSxXgifcOtn06qoxYZMT1x+Dyrt40vNkGmxmxCnirm8B+6MKXgd/Ys+7tnOm1ht8TmLm96x6KdOiF3Zq/tMxhPAzp8JriTKSo7k7U9XxStFghTbhhBNc7OX89ZbpalLEnvbQiz87gZxhcx8cLvzIjslOHmZOSWC5Pgr4wwuj3Akq63i4ya6/BzM6v4UoBuDAB6fz3NHKL4R5X20la7Pvt7OBysQkGClWfj6ipMR1bFE2mfYtlMioXNgTjC+NCpEl1+81MH7dv2565Hk8CLV8FMxv6GujbAZGjjcM47lpWM1cBQvpBMUA/lLkyiCPK0YxNWAB7Co+jYDl6CR0Ubew== cardno:6445161"
      #ipad gpg
      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC28lphReKNN+Ns2vdlOiqhiL/ByAv0foLFwYmF6HNwQVQjHg4n2956OuSxD/prsIycALNuicR1fh31MgR4KqbIPI6vDg1IjriIiXaQGULVK1z3B0pwUoGvlK6CVqBlVU5AjQXsEj04PQGiRcwPlgYJ//pInxSRZ0tQXvx6U5wljoHrEbg4rPVPHJPi/dU9lH2EA5cTxfIUiUYobdGr8U+ljGloi31vPPtC8kRe2Dj/smirsPARDugNCgImfAemaKX6hJsIdgKkjNGdS2f97G6cq+/T/iGiQy1PNNKqt2fSpzYbZvjpmBHN0GxMiEgViYT3saij572+DZujKjmM1ZVDlwB7TbAgF8mBhg2iyusi9sv31KNHVxf+gKE6cZ3SSz3nmCSBpdDPW1KIRrzGskoBVwsoZ5N6+yX+a5aChg6fR0X+pCYD0LKXhSgbV6jxad5f7OACh3DMVN4aphQLxXJrCAZQP02f4Skpnn0kroDoGObkE2+Gu+cXAwLxPv0rsfSVGlfRiTOPKa/09LJHbPsjhPXE6b295VhT0EaEp/a7WjcSBkUUmujI5IOijANpPVH87GMGQlWw41enGR9qnYZEsITr/6iqLYxHQsJ6xPdOH6AZsbXz7qG9sbSl/4M9lcVk1GMXUgf1I8iDsqNZZxhZkI9jXXkITXz0YI3PZci87w== (none)"
    ];

    leah = {
      isNormalUser                  = true;
      hashedPasswordFile            = config.age.secrets.leah-systempassword.path;
      extraGroups                   = [ "wheel" ]; # Enable ‘sudo’ for the user.
      openssh.authorizedKeys.keys   = [
        #yubikey gpg
        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDb2eZ2ymt+Zsf0eTlmjW2jPdS013lbde1+EGkgu6bz9lVTR8aawshF2HcoaWp5a5dJr3SKyihDM8hbWSYB3qyTHihNGyCArqSvAtZRw301ailRVHGqiwUITTfcg1533TtmWvlJZgOIFM1VvSAfdueDRRRzbygmn749fS9nhUTDzLtjqX5LvhpqhzsD+eOqPrV6Ne8E1e42JxQb5AJPY1gj9mk6eAarvtEHQYEe+/hp9ERjtCdN5DfuOJnqfaKS0ytPj/NbQskbX/TMgeUVio11iC2NbXsnAtzMmtbLX4mxlDQrR6aZmU/rHQ4aeJqI/Tj2rrF46icri7s0tnnit1OjT5PSxXgifcOtn06qoxYZMT1x+Dyrt40vNkGmxmxCnirm8B+6MKXgd/Ys+7tnOm1ht8TmLm96x6KdOiF3Zq/tMxhPAzp8JriTKSo7k7U9XxStFghTbhhBNc7OX89ZbpalLEnvbQiz87gZxhcx8cLvzIjslOHmZOSWC5Pgr4wwuj3Akq63i4ya6/BzM6v4UoBuDAB6fz3NHKL4R5X20la7Pvt7OBysQkGClWfj6ipMR1bFE2mfYtlMioXNgTjC+NCpEl1+81MH7dv2565Hk8CLV8FMxv6GujbAZGjjcM47lpWM1cBQvpBMUA/lLkyiCPK0YxNWAB7Co+jYDl6CR0Ubew== cardno:6445161"
        #ipad gpg
        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC28lphReKNN+Ns2vdlOiqhiL/ByAv0foLFwYmF6HNwQVQjHg4n2956OuSxD/prsIycALNuicR1fh31MgR4KqbIPI6vDg1IjriIiXaQGULVK1z3B0pwUoGvlK6CVqBlVU5AjQXsEj04PQGiRcwPlgYJ//pInxSRZ0tQXvx6U5wljoHrEbg4rPVPHJPi/dU9lH2EA5cTxfIUiUYobdGr8U+ljGloi31vPPtC8kRe2Dj/smirsPARDugNCgImfAemaKX6hJsIdgKkjNGdS2f97G6cq+/T/iGiQy1PNNKqt2fSpzYbZvjpmBHN0GxMiEgViYT3saij572+DZujKjmM1ZVDlwB7TbAgF8mBhg2iyusi9sv31KNHVxf+gKE6cZ3SSz3nmCSBpdDPW1KIRrzGskoBVwsoZ5N6+yX+a5aChg6fR0X+pCYD0LKXhSgbV6jxad5f7OACh3DMVN4aphQLxXJrCAZQP02f4Skpnn0kroDoGObkE2+Gu+cXAwLxPv0rsfSVGlfRiTOPKa/09LJHbPsjhPXE6b295VhT0EaEp/a7WjcSBkUUmujI5IOijANpPVH87GMGQlWw41enGR9qnYZEsITr/6iqLYxHQsJ6xPdOH6AZsbXz7qG9sbSl/4M9lcVk1GMXUgf1I8iDsqNZZxhZkI9jXXkITXz0YI3PZci87w== (none)"
        # iphone
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKuteK6BuIa8mgihSaTcsKFKrmhSb2gR8X38hJnso5Vq Shortcuts on ctucx.iPhone"
      ];
    };

  };

  home-manager.users.leah = {
    home = {
      language = {
        "base"     = "en_US.UTF-8";
        "time"     = "de_DE.utf8";
        "address"  = "de_DE.utf8";
        "monetary" = "de_DE.utf8";
        "paper"    = "de_DE.utf8";
      };
    };
  };

}