{ config, pkgs, modulesPath, lib, factsGenerator, ... }:

let

  # in rescue shell
  # ---------------
  # apt install -y lshw
  # lshw -C network | grep -Poh 'driver=[[:alnum:]]+'
  networkInterfaceModule = "e1000e";

  # ip addr
  networkInterface = "enp0s31f6";

  # From the Hetzner control panel
  ipv4 = {
    address = "95.216.66.212"; # the ip address
    gateway = "95.216.66.193"; # the gateway ip address
    netmask = "255.255.255.192"; # the netmask -- might not be the same for you!
    prefixLength = 26; # must match the netmask, see <https://www.pawprint.net/designresources/netmask-converter.php>
  };
  ipv6 = {
    address = "2a01:4f9:2b:326::2"; # the ipv6 addres
    gateway = "fe80::1"; # the ipv6 gateway
    prefixLength = 64; # shown in the control panel
  };

in

{
  system.stateVersion = "23.11";

  imports = [
    ./disko-config.nix
    ./hardware-configuration.nix
    ./hetzner.nix
  ];

  services.smartd.enable = true;

  # Use GRUB2 as the boot loader.
  # We don't use systemd-boot because Hetzner uses BIOS legacy boot.
  boot.loader.grub = {
    enable = true;
    efiSupport = false; # we created a ef02 partition because uefi is not supported on hetzner online machines.
  };

  # root password
  clan.core.facts.services.rootPassword = factsGenerator.password { name = "root"; };
  users.users.root.hashedPasswordFile = config.clan.core.facts.services.rootPassword.secret."password.root.pam".path;

  services.openssh.settings.PermitRootLogin = "prohibit-password";
  services.openssh.settings.PasswordAuthentication = false;

  boot.tmp.useTmpfs = true; # make /tmp a tmpfs (performance!)

  boot.supportedFilesystems = [ "zfs" ];
  clan.core.facts.services.zfs = factsGenerator.zfs { };
  networking.hostId = config.clan.core.facts.services.zfs.public."zfs.hostId".value;

  systemd.network.networks."10-hetzner".networkConfig.Address = ipv6.address;
  boot.initrd.systemd.network.networks."10-hetzner" = config.systemd.network.networks."10-hetzner";

  # todo: use ssh component
  boot.initrd.kernelModules = [ networkInterfaceModule ];
  boot.initrd.network = {
    enable = true;
    ssh = {
      enable = true;
      authorizedKeys = config.users.users.root.openssh.authorizedKeys.keys;
      port = 2222;
      hostKeys = [
        # make sure you use --copy-host-keys during nixos-anywhere
        # (you can create ne ssh keys later, again)
        # rm /etc/ssh/ssh_host_* && systemctl restart sshd.service
        /etc/ssh/ssh_host_rsa_key
        /etc/ssh/ssh_host_ed25519_key
      ];
    };
  };

}