{ config, lib, pkgs, ... }:

{
  imports = [
    ./hardware-configuration.nix
    ../../modules/minimal-server.nix
  ];

  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;

  networking = {
    hostName = "zoro";
    domain = "mrflos.pw";
    nameservers = ["80.67.169.12" "2001:910:800::12" "80.67.169.40" "2001:910:800::40"];
    wg-quick.interfaces = {
      wg0 = {
        address = [ "10.42.0.3/32"];
        privateKeyFile = "/etc/wireguard_private_key";

        peers = [
          {
            publicKey = "2MZzEGJzA3HrwkHf91TaKJEHwCNyVvsTLWoIYHrCxhY=";
            presharedKeyFile = "/etc/wireguard_preshared_key";
            allowedIPs = [ "10.42.0.0/24" ];
            endpoint = "195.201.63.240:8098";
            persistentKeepalive = 15;
          }
        ];
      };
    };
  };

  time.timeZone = "Europe/Moscow";
  i18n.defaultLocale = "en_US.UTF-8";

  users.users.optisseur = {
    isNormalUser = true;
    extraGroups = [ "wheel" ]; 
    initialPassword = "ACHANGER";
    openssh.authorizedKeys.keys = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBBM+2TwkopAQF7splTWjORQoxjcp67VhodwzvTMlL8g florian@florian-LinuxMint-MBP"
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILRG0CyeeMMrrjTTm/PHgRXD/I4lH/bBPBCGUiL+cBdq douzeb@tux-12"
    ];
  };

  security.sudo.extraRules= [
  { 
    users = [ "optisseur" ];
    commands = [
       { command = "ALL" ;
         options= [ "NOPASSWD" ]; # "SETENV" # Adding the following could be a good idea
      }
    ];
  }
  ];

  services.openssh.enable = true;
  services.openssh.ports = [ 4222 ];
  services.openssh.settings = {
    PermitRootLogin = "no";
    PasswordAuthentication = false;
    KbdInteractiveAuthentication = false;
  };

  services.gitea-actions-runner = {
    package = pkgs.forgejo-runner;
    instances = {
      distrilab = {
        enable = true;
        name = networking.hostName;
        url = "https://git.distrilab.fr";
        token = "/etc/forgejo/runner.token";
        labels = [
                  "debian-latest:docker://node:20-bullseye"
                  "ubuntu-latest:docker://node:20-bullseye"
                  "nixos:docker://nixos/nix:latest"
        ];
      };
      mrflospw = {
        enable = true;
        name = networking.hostName;
        url = "https://forge.mrflos.pw";
        token = "/etc/forgejo/runner.token";
        labels = [
                  "debian-latest:docker://node:20-bullseye"
                  "ubuntu-latest:docker://node:20-bullseye"
                  "nixos:docker://nixos/nix:latest"
        ];
      };
    };
  };


  networking.firewall.allowedTCPPorts = [ 80 443 4222 ];

  system.stateVersion = "24.05"; 
}