{ config, pkgs, lib, ... }:

let
  pamLogin = ''
    # Account management.
    account required pam_unix.so
    # Authentication management.
    auth sufficient ${pkgs.yubico-pam}/lib/security/pam_yubico.so mode=challenge-response
    auth sufficient ${pkgs.fprintd}/lib/security/pam_fprintd.so
    auth sufficient pam_unix.so nullok  likeauth try_first_pass
    auth required pam_deny.so
    # Password management.
    password sufficient pam_unix.so nullok sha512
    # Session management.
    session required pam_env.so conffile=/etc/pam/environment readenv=0
    session required pam_unix.so
    session required pam_loginuid.so
    session required ${pkgs.linux-pam}/lib/security/pam_lastlog.so silent
    session optional ${pkgs.systemd}/lib/security/pam_systemd.so
  '';

in {
  boot = {
    # Use the systemd-boot EFI boot loader.
    loader = {
      systemd-boot.enable = true;
      efi.canTouchEfiVariables = true;
    };
  };

  networking = {
    hostName = "helix-texta";
    # nm ftw
    networkmanager = {
      enable = true;
      packages = with pkgs; [ networkmanager-vpnc ];
    };
  };

  system.fsPackages = [ pkgs.sshfs ];

  # Pipewire for my wayland
  sound.enable = false;
  security.rtkit.enable = true;
  services.pipewire = {
    enable = true;
    alsa.enable = true;
    alsa.support32Bit = true;
    pulse.enable = true;
    jack.enable = true;

    config.pipewire-pulse."stream.properties" = {
      "channelmix.upmix" = true;
      "channelmix.lfe-cutoff" = 150;
    };

    config.pipewire = { "default.clock.allowed-rates" = [ 48000 44100 ]; };

    media-session.config.alsa-monitor = {
      rules = [{
        matches = [{
          "node.name" =
            "alsa_output.usb-Focusrite_Scarlett_Solo_USB_Y7ENM550A6399B-00.pro-output-0";
        }];
        actions = {
          update-props = {
            #"audio.rate" = 96000;
            "api.alsa.headroom" = 1024;
          };
        };
      }];
    };
  };
  xdg.portal = {
    enable = true;
    extraPortals = [ pkgs.xdg-desktop-portal-wlr pkgs.xdg-desktop-portal-gtk ];
    gtkUsePortal = true;
  };

  services.udev.customRules = [
    # Rename the Scarlett Solo using udev
    {
      name = "85-scarlett-solo";
      rules = ''
        SUBSYSTEM=="usb", ENV{ID_MODEL_ID}=="8211", ENV{ID_VENDOR_ID}=="1235", TAG+="systemd", SYMLINK+="scarlett_solo"
      '';
    }
    {
      name = "85-yubikey";
      rules = ''
        SUBSYSTEM=="usb", ENV{ID_MODEL_ID}=="0407", ENV{ID_VENDOR_ID}=="1050", TAG+="systemd", SYMLINK+="yubikey"
      '';
    }
  ];

  security.pam = {
    yubico = {
      enable = true;
      #id = "ccccccvblrrf";
      control = "required";
      mode = "challenge-response";
      debug = false;
    };
    services.login = {
      name = "login";
      # Fix when https://github.com/NixOS/nixpkgs/pull/105319 lands..
      text = pamLogin;
    };
    #services.swaylock = {
    #  name = "swaylock";
    #  fprintAuth = true;
    #  unixAuth = true;
    #};
  };
  services.fprintd.enable = true;

  users = {
    # I like my users unmutable
    mutableUsers = false;

    # Myself
    users.malte = {
      description = "Malte Tammena";
      hashedPassword =
        "$6$zqEC2iJJ98Ne$lRERO30msyjJm7oJCqRD/xj3NIm4De37gD.VUzfg7aceosE/6S6eNAaruIakgUtSC970MHRPoNlCEy1RoFuyh.";
      isNormalUser = true;
      extraGroups = [
        "wheel"
        "networkmanager"
        "video"
        "lp"
        "kvm"
        "libvirtd"
        "podman"
        "scanner"
        config.users.groups.keys.name
      ];
      # Yes, use the best, please
      shell = pkgs.fish;
    };
  };
  home-manager.users.malte.imports = [ ../users/malte/home.nix ];

  programs.fish.enable = true;

  # Use some fonts
  fonts = {
    enableDefaultFonts = true;
    fonts = with pkgs; [ firaCodeNerd noto-fonts noto-fonts-cjk joypixels ];
    fontconfig = {
      enable = true;
      defaultFonts.monospace = [ "FiraCode Nerd Font" ];
    };
  };

  # Configure GPG with SSH support and enable the yubikey
  programs.gnupg.agent = {
    enable = true;
    enableSSHSupport = true;
    pinentryFlavor = "qt";
  };

  virtualisation = {
    podman = {
      enable = true;
      # Create a `docker` alias for podman, to use it as a drop-in replacement
      dockerCompat = true;
      dockerSocket.enable = true;
      defaultNetwork.dnsname.enable = true;
    };
  };

  programs.dconf.enable = true;

  programs.steam.enable = true;
  nixpkgs.config.packageOverrides = pkgs: {
    steam = pkgs.steam.override {
      extraPkgs = pkgs: [ pkgs.openssl ];
      #nativeOnly = true;
    };
  };

  programs.sway.enable = true;
  services.dbus.packages = [ pkgs.dconf ];
  services.udev.packages = with pkgs; [ yubikey-personalization chrysalis ];

  environment.systemPackages = with pkgs; [
    thunderbolt
    qt5.qtwayland
    chrysalis
  ];

  services.printing.enable = true;
  services.fwupd.enable = true;
  services.devmon.enable = true;

  sops.defaultSopsFile = ../secrets/hosts/helix-texta/secrets.yaml;
  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
  # TODO: Improve this
  sops.secrets."restic-backup-malte" = {
    sopsFile = ../secrets/users/malte/secrets.yaml;
    owner = "malte";
    mode = "0400";
    key = "restic-backup";
  };

  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions
  # on your system were taken. It‘s perfectly fine and recommended to leave
  # this value at the release version of the first install of this system.
  # Before changing this value read the documentation for this option
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
  system.stateVersion = "20.09"; # Did you read the comment?
}