{ pkgs, inputs, config, ... }: {
	imports = [
		./hardware-configuration.nix
		../../modules/rare/realmail.nix
		../../modules/misc/virt.nix
		#../../modules/server/collabora.nix

		inputs.sops-nix.nixosModules.sops
	];

	networking.hosts = {
		#"127.0.0.1" = ["cloud.hahn1.one" "cool.hahn1.one"];
		#"::1" = ["cloud.hahn1.one" "cool.hahn1.one"];
	};

	# Enable all the old services on gullfoss
	services.postgresql = {
		enable = true;

		# Ensure databases here
		ensureDatabases = [ "mydatabase" ];
		# TODO: integrate the old permission
		authentication = pkgs.lib.mkOverride 10 ''
	  #type database  DBuser  auth-method
	  local all       all     trust
		'';
	};

	#systemd.services.nixBuildTmuxSession = {
	#	description = "Start tmux nix build session if not already running";
	#	after = [ "network.target" ];
	#	path = with pkgs; [nix tmux ];

	#	serviceConfig = {
	#		Type = "oneshot";
	#		User = "jonas"; # Change this!
	#	};

	#	script = ''exec /home/jonas/projects/perdash/start_server.sh'';

	#};

	services.cron.enable = true;

	# Sops setup
	sops = {
		defaultSopsFile = ../../../secrets.yaml;
		defaultSopsFormat = "yaml";
		# hard code the username here
		age.keyFile =  "/home/jonas/.config/sops/age/keys.txt";
		secrets = {
			joncook = {};
			jondash = {};
			nextpass = {
				group = "nextcloud";
				owner = "nextcloud";
			};
		};
		templates = {
			"jontemp2" = {
				owner = "nginx";
				group = "nginx";
				content = ''add_header Set-Cookie "letmein=${config.sops.placeholder.joncook};max-age=3153600000;path=/";'';
			};
			"jontemp" = {
				owner = "nginx";
				group = "nginx";
				content = ''"${config.sops.placeholder.joncook}" "yes";'';
			};

		};
	};

	boot.tmp.cleanOnBoot = true;
	zramSwap.enable = true;
	swapDevices = [ { device = "/swapfile"; size = 8192; } ];

	networking.hostName = "stranox";

	# setup syncthing
	# This is not needed for now because one should only use syncthing when not having battery problems
	services = {
		syncthing = {
			enable = true;
			user = "jonas";
			#guiAddress = "0.0.0.0:8384";
			dataDir = "/home/jonas/syncthing";
			configDir = "/home/jonas/.config/syncthing";
			overrideDevices = true;     # overrides any devices added or deleted through the WebUI
			overrideFolders = true;     # overrides any folders added or deleted through the WebUI
			settings = {
				devices = {
					"thinix" = { id = "3JHI72U-HQKX7S2-ITUD5U7-CS2P3TO-HM6Y6MZ-PFSUGWF-5OHHV7Q-NXYC5AP"; };
				};
				folders = {
					# This is the mail folder to keep synced accross everything
					# Its nice to have this declarativery and just work with the respectively ids
					#		"syncthing" = {
					#		"synct	path = "/home/jonas/synced";
					#		"synct	devices = [ "thinix" ];
					#		"synct	ignorePerms = true;
					#		"synct	versioning = {
					#		"synct		type = "staggered";
					#		"synct	};
					#		"synct};
				};
			};
		};
	};

	services.nextcloud = {
		enable = false;
		# Use the defualt home
		#home = "/mnt/nextcloudStorage";
		package = pkgs.nextcloud30;
		hostName = "cloud.hahn1.one";
		settings = {
			#trusted_domains = [""];
		};
		config = {
			adminpassFile = config.sops.secrets.nextpass.path;
			dbtype = "sqlite";
		};
		extraApps = {inherit (config.services.nextcloud.package.packages.apps) calendar ;};
		extraAppsEnable = true;
		https = true;
		configureRedis = true;
		maxUploadSize = "1G";
	};


	# configure users for small machine
	users = {
		defaultUserShell = pkgs.zsh;
		groups = {
			nginx = {};
			nextcloud = {};
			podman = {};
			docker = {};
		};
		users = {
			nginx = {
				isSystemUser = true;
				group = "nginx";
			};
			nextcloud = {
				isSystemUser = true;
				group = "nextcloud";
			};
			root = {
				openssh.authorizedKeys.keys = [''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID44xurDPkTQr+f62llnHHAeXQRJi4JeVeo0vFL85CLA jonas@thinix'' ];
			};
			jonas = {
				isNormalUser = true;
				extraGroups = [ "wheel" "docker" "podman" ];
				openssh.authorizedKeys.keys = [''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID44xurDPkTQr+f62llnHHAeXQRJi4JeVeo0vFL85CLA jonas@thinix'' ];
				packages = with pkgs; [
					neovim
					pkgs.unstable.yazi
					zsh
					git
					starship
					eza
					bat
					lazygit
					btop
					gdu
					fastfetch
					sops
					w3m
					typst
					tmux
					wget
					curl
					pipx
					fd
					python3
					nodejs
					gcc
					gnumake
					findutils.locate
					gradle
					lua
					todo-txt-cli
				];
			};
		};
	};

	#environment.etc."nginx/htpasswd/jondash".source = config.sops.secrets.jondash.path;
	# source the local httppass for the nginx login

	environment.etc."nginx/htpasswd/jondash".source = ./htpasswd;

	networking.firewall = {
		enable = true;
		allowedTCPPorts = [3478 80 443 8080 ];
		allowedUDPPorts = [3478   ];
	};

	# Services for the cloud
	services = {
		openssh.enable = true;
		nginx = {


			mapHashBucketSize = 128;
			enable = true;
			appendHttpConfig =  ''
		map $cookie_letmein $dash_hascookie {
			include ${config.sops.templates.jontemp.path};
		  default           "no";
		}

		map $dash_hascookie $dash_authentication {
		  "yes" "off";
		  default  "Your credentials please";
		}
			'';
			virtualHosts = {
				"dash.hahn1.one" = {
					forceSSL = true;
					enableACME = true;
					#basicAuth = { jonas = "1234"; };

					locations."/" = {
						proxyPass = "http://127.0.0.1:8000";
						proxyWebsockets = true;

						extraConfig = ''
		  auth_basic  $dash_authentication;
		  auth_basic_user_file /etc/nginx/htpasswd/jondash;
		  proxy_set_header Host $host;
		  proxy_set_header X-Forwarded-For $remote_addr;
			include ${config.sops.templates.jontemp2.path};
						'';
					};

				};
				"sync.hahn1.one" = {
					forceSSL = true;
					enableACME = true;
					#basicAuth = { jonas = "1234"; };

					locations."/" = {
						proxyPass = "http://127.0.0.1:8384";
						proxyWebsockets = true;
					};

				};

				# Easter special for having a schintzeljagt that implements modern technology
				"jagd.hahn1.one" = {
					forceSSL = true;
					enableACME = true;
					#basicAuth = { jonas = "1234"; };

					locations."/" = {
						proxyPass = "http://127.0.0.1:2345";
						proxyWebsockets = true;
					};

				};

				"dev.hahn1.one" = {
					forceSSL = true;
					enableACME = true;

					# This is of course not secure but better than to have nothing
					# First one need to read this code to access
					basicAuth = { dev = "dev"; };

					# use a dev proxypass to test some applications
					locations."/" = {
						proxyPass = "http://127.0.0.1:8888";
						proxyWebsockets = true;
					};

				};

				"cloud.hahn1.one" = {
					enableACME = true;
					addSSL = true;


					locations."/" = {
						proxyPass = "http://localhost:11000";
						proxyWebsockets = true;
					};
				};
				"cool.hahn1.one" = {
					enableACME = true;
					addSSL = true;


					locations."/" = {
						proxyPass = "http://[::1]:${toString config.services.collabora-online.port}";
						proxyWebsockets = true;
					};
				};
				"hahn1.one" = {
					forceSSL = true;
					enableACME = true;
					default = true;

					locations."/" = {
						root = "${pkgs.nginx}/html";
						index = "index.html";
					};
				};
			};
		};
	};

	security.acme = {
		acceptTerms = true;

		#TODO: activate this mail
		defaults.email = "security@hahn1.one";
	};


	nixpkgs.config.allowUnfree = true;
	nix.settings.experimental-features = ["flakes" "nix-command"];
	time.timeZone = "Europe/Berlin";

	environment = {
		sessionVariables = {
		};
		systemPackages = with pkgs; [
			git
			fastfetch
			lazygit
			unzip
			fzf
			zathura

			# everywhere support
			starship
			zoxide

			# add sync support
			rsync
			flock
			unison

			# curl for scripting
			curl
		];
	};

	programs.zsh = {
		enable = true;
		autosuggestions.enable = true;
		ohMyZsh = {
			enable = true;
			plugins = [
				"history-substring-search"
				"git"
				"zoxide"
				"sudo"
				"vi-mode"
				"systemadmin"
			];
		};
	};

	# In case of gui usage
	programs = {
		nix-ld.enable = true;
	};

	# This was generated by the infect script I may just keep it this way for
	# Security reasons
	system.stateVersion = "23.11";
}