{ config, lib, pkgs, pkgs-unstable, ... }:

{
  imports =
    [
      ./hosts/odo
      "${builtins.fetchTarball {url="https://github.com/nix-community/disko/archive/refs/tags/v1.9.0.tar.gz";sha256="0j76ar4qz320fakdii4659w5lww8wiz6yb7g47npywqvf2lbp388";}}/module.nix"
      ./boot.nix
      ./zfs.nix
      ./network.nix
    ];

  nix.settings.experimental-features = [ "nix-command" "flakes" ];

  users.mutableUsers = false;
  users.users.talexander = {
    isNormalUser = true;
    createHome = true; # https://github.com/NixOS/nixpkgs/issues/6481
    extraGroups = [ "wheel" ];
    packages = with pkgs; [
      tree
    ];
    # Generate with `mkpasswd -m scrypt`
    hashedPassword = "$7$CU..../....VXvNQ8za3wSGpdzGXNT50/$HcFtn/yvwPMCw4888BelpiAPLAxe/zU87fD.d/N6U48";
    openssh.authorizedKeys.keys = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGu+k5lrirokdW5zVdRVBOqEOAvAPlIkG/MdJNc9g5ky"
      "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIEI6mu6I5Jp+Ib0vJxapGHbEShZjyvzV8jz5DnzDrI39AAAABHNzaDo="
      "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIAFNcSXwvy+brYTOGo56G93Ptuq2MmZsjvRWAfMqbmMLAAAABHNzaDo="
    ];
  };

  # Automatic garbage collection
  nix.gc = {
    # Runs nix-collect-garbage --delete-older-than 5d
    automatic = true;
    randomizedDelaySec = "14m";
    options = "--delete-older-than 5d";
  };

  # Use doas instead of sudo
  security.doas.enable = true;
  security.doas.wheelNeedsPassword = false;
  security.sudo.enable = false;
  security.doas.extraRules = [{
    # Retain environment (for example NIX_PATH)
    keepEnv = true;
    persist = true;  # Only ask for a password the first time.
  }];

  # Do not use default packages (nixos includes some defaults like nano)
  environment.defaultPackages = lib.mkForce [];

  environment.systemPackages = with pkgs; [
    git
    wget
    mg
    rsync
    libinput
    htop
    tmux
    file
    usbutils # for lsusb
    pciutils # for lspci
  ];

  services.openssh = {
    enable = true;
    settings = {
      PasswordAuthentication = false;
      KbdInteractiveAuthentication = false;
    };
    hostKeys = [
      {
        path = "/persist/ssh/ssh_host_ed25519_key";
        type = "ed25519";
      }
      {
        path = "/persist/ssh/ssh_host_rsa_key";
        type = "rsa";
        bits = 4096;
      }
    ];
  };

  # Open ports in the firewall.
  networking.firewall.allowedTCPPorts = [ 22 ];
  networking.firewall.allowedUDPPorts = [ ];
  # Or disable the firewall altogether.
  # networking.firewall.enable = false;

  # Check what will be lost with `zfs diff zroot/linux/root@blank`
  boot.initrd.systemd.enable = lib.mkDefault true;
  boot.initrd.systemd.services.zfs-rollback = {
    description = "Rollback ZFS root dataset to blank snapshot";
    wantedBy = [
      "initrd.target"
    ];
    after = [
      "zfs-import-zroot.service"
    ];
    before = [
      "sysroot.mount"
    ];
    path = with pkgs; [
      zfs
    ];
    unitConfig.DefaultDependencies = "no";
    serviceConfig.Type = "oneshot";
    script = ''
      zfs rollback -r zroot/linux/root@blank
      zfs rollback -r zroot/linux/home@blank
      echo "rollback complete"
    '';
  };

  environment.persistence."/persist" = {
    hideMounts = true;
    directories = [
      "/etc/nixos" # Contains system configuration, optional
      "/etc/NetworkManager/system-connections" # Wifi settings
      "/var/lib/iwd" # Wifi settings
      "/var/lib/nixos" # Contains user information (uids/gids)
    ];
    files = [
      "/etc/ssh/ssh_host_rsa_key"
      "/etc/ssh/ssh_host_rsa_key.pub"
      "/etc/ssh/ssh_host_ed25519_key"
      "/etc/ssh/ssh_host_ed25519_key.pub"
    ];
    # users.talexander = {
    #   directories = [];
    #   files = [];
    # };
  };

  # Write a list of the currently installed packages to /etc/current-system-packages
  environment.etc."current-system-packages".text =
    let
      packages = builtins.map (p: "${p.name}") config.environment.systemPackages;
      sortedUnique = builtins.sort builtins.lessThan (lib.unique packages);
      formatted = builtins.concatStringsSep "\n" sortedUnique;
    in
      formatted;

  # nixpkgs.overlays = [
  #   (final: prev: {
  #     nix = pkgs-unstable.nix;
  #   })
  # ];



  # Copy the NixOS configuration file and link it from the resulting system
  # (/run/current-system/configuration.nix). This is useful in case you
  # accidentally delete configuration.nix.
  # system.copySystemConfiguration = true;

  # This option defines the first version of NixOS you have installed on this particular machine,
  # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.
  #
  # Most users should NEVER change this value after the initial install, for any reason,
  # even if you've upgraded your system to a new NixOS release.
  #
  # This value does NOT affect the Nixpkgs version your packages and OS are pulled from,
  # so changing it will NOT upgrade your system - see https://nixos.org/manual/nixos/stable/#sec-upgrading for how
  # to actually do that.
  #
  # This value being lower than the current NixOS release does NOT mean your system is
  # out of date, out of support, or vulnerable.
  #
  # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration,
  # and migrated your data accordingly.
  #
  # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion .
  system.stateVersion = "24.11"; # Did you read the comment?

}