# Edit this configuration file to define what should be installed on
# your system.  Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running ‘nixos-help’).

{ inputs, config, pkgs, lib, ... }:

{
  imports =
    [
      # Include the results of the hardware scan.
      ./hardware-configuration.nix
    ];

  documentation.enable = false;
  documentation.nixos.enable = false;
  documentation.man.enable = false;
  boot.loader.grub.enable = true;
  boot.loader.grub.device = "/dev/vda";
  boot.loader.systemd-boot.enable = false;

  networking.interfaces."ens3" = {
    ipv6 = {
      addresses = [
        {
          address = "2a00:6800:3:744::1";
          prefixLength = 64;
        }
      ];
    };
    ipv4 = {
      addresses = [
        {
          address = "195.90.211.163";
          prefixLength = 22;
        }
      ];
    };
  };
  networking.defaultGateway6 = { address = "2a00:6800:3::1"; interface = "ens3"; };
  networking.defaultGateway = { address = "195.90.208.1"; interface = "ens3"; };
  networking.nameservers = [ "1.1.1.1" "8.8.8.8" ];
  # networking.interfaces.eno1.useDHCP = true;
  networking.hostId = "7c28236a";

  # Immutable users due to tmpfs
  users.mutableUsers = false;

  services.postgresql.package = pkgs.postgresql_13;

  services.grafana = {
    enable = true;
    settings.server = {
      domain = "beliskner.kangaroo-galaxy.ts.net";
      root_url = "https://beliskner.kangaroo-galaxy.ts.net/";
    };
  };


  ragon.agenix.secrets."prometheusBlackboxConfig" = { owner = config.services.prometheus.exporters.blackbox.user; };
  services.prometheus.exporters.blackbox = {
    enable = true;
    configFile = config.age.secrets.prometheusBlackboxConfig.path;
    enableConfigCheck = false;
  };


  services.caddy = {
    enable = true;
    virtualHosts = {
      "beliskner.kangaroo-galaxy.ts.net" = {
        extraConfig = ''
                    reverse_proxy :${toString config.services.grafana.settings.server.http_port}
                    forward_auth unix//run/tailscale.nginx-auth.sock {
          	      uri /auth
          	      header_up Remote-Addr {remote_host}
          	      header_up Remote-Port {remote_port}
          	      header_up Original-URI {uri}
          	      copy_headers {
               	        Tailscale-User>X-Webauth-User
          	        Tailscale-Name>X-Webauth-Name
          	        Tailscale-Login>X-Webauth-Login
          	        Tailscale-Tailnet>X-Webauth-Tailnet
          	        Tailscale-Profile-Picture>X-Webauth-Profile-Picture
          	      }
                    }
        '';
      };
    };
  };

  networking.firewall.trustedInterfaces = [ "lo" "tailscale0" ];
  services.grafana.settings = {
    analytics.reporting_enabled = false;
    users = {
      allow_sign_up = false;
    };
    auth.proxy = ''
      enabled = true
      header_name = "X-Webauth-User"
      header_property = "username"
      auto_sign_up = true
      allow_sign_up = true
      whitelist = "127.0.0.1, ::1"
    '';
  };
  services.tailscale = {
    enable = true;
    permitCertUid = "caddy";
  };



  ragon = {
    cli.enable = false;
    user.enable = false;
    persist.enable = true;
    persist.extraDirectories = [
      "/var/lib/tailscale"
      "/var/lib/caddy"
    ];
    services = {
      ssh.enable = true;
    };
  };
}