{ config, lib, pkgs, ... }:

{

  #this enables the following services: dns
  deployment.tags          = [ "dnsServer" ];

  imports = [
    ./hardware-configuration.nix

    # monitoring
    ./prometheus.nix
    ./grafana

    # cal- and card-dav server
    ./radicale.nix

    # git server (gitolite+stagit)
    ./git.nix

    # vaultwarden password-store
    ./vaultwarden.nix

    # communication
    ./fedi
    ./matrix
    ./mail

    ./websites
    ./grocy.nix
    ./travelynx2fedi.nix
  ];

  dns.zones."ctu.cx".subdomains."${config.networking.hostName}" = (pkgs.dns.lib.combinators.host config.networking.primaryIP4 config.networking.primaryIP);

  age.secrets.restic-server-briefkasten.file = ../../secrets/restic-server/briefkasten.age;
  age.secrets.restic-server-wanderduene.file = ../../secrets/restic-server/wanderduene.age;

  boot = {
    loader = {
      systemd-boot.enable = true;
      efi.canTouchEfiVariables = true;
    };

    initrd.network = {
      enable = true;
      ssh    = {
        enable         = true;
        port           = 22;
        hostKeys       = [ /etc/ssh/ssh_host_rsa_key ];
        authorizedKeys = with lib; concatLists (mapAttrsToList (name: user: if elem "wheel" user.extraGroups then user.openssh.authorizedKeys.keys else []) config.users.users);
      };

      postCommands = ''
        ip link set dev ens3 up
        ip addr add ${config.networking.primaryIP}/128 dev ens3
        ip route add default via fe80::1 dev ens3 onlink

        ip addr add ${config.networking.primaryIP4}/22 dev ens3
        ip route add default via ${config.networking.defaultGateway.address} dev ens3 onlink
        echo 'cryptsetup-askpass' >> /root/.profile
      '';
    };
  };

  networking = {
    primaryIP    = "2a03:4000:50:e8::1";
    primaryIP4   = "94.16.104.148";

    resolvconf.enable = false;
    nameservers       = [ "8.8.8.8" "1.1.1.1" ];

    defaultGateway  = {
      interface = "ens3";
      address    = "94.16.104.1";
    };
    defaultGateway6 = {
      interface = "ens3";
      address   = "fe80::1";
    };

    interfaces.ens3 = {
      ipv4.addresses = [{
        address = config.networking.primaryIP4;
        prefixLength = 22;
      }];
      ipv6.addresses = [{
        address      = config.networking.primaryIP;
        prefixLength = 64;
      }];
    };

    nftables.enable = true;
  };

  services.email-notify.enable = true;

  system.stateVersion = "23.11";
  home-manager.users.leah.home.stateVersion = "23.11";

}