{ config, pkgs, modulesPath, lib, ... }:

let

  hostName = "robi";

  # apt install -y lshw
  # lshw -C network | grep -Poh 'driver=[[:alnum:]]+'

  networkInterfaceModule = "r8169";

  networkInterface = "enp3s0";

  # From the Hetzner control panel
  ipv4 = {
    address = "144.76.13.147"; # the ip address
    gateway = "144.76.13.129"; # the gateway ip address
    netmask = "255.255.255.224"; # the netmask -- might not be the same for you!
    prefixLength = 27; # must match the netmask, see <https://www.pawprint.net/designresources/netmask-converter.php>
  };
  ipv6 = {
    address = "2a01:4f8:190:9147::1"; # the ipv6 addres
    gateway = "fe80::1"; # the ipv6 gateway
    prefixLength = 64; # shown in the control panel
  };

in

{
  imports =
    [
      # Include the results of the hardware scan.
      ./hardware-configuration.nix
    ];

  # needed lvm for raid
  boot.initrd.kernelModules = [
    "dm-snapshot"
    "dm_mirror"
    "dm_raid"
    "dm_region_hash"
  ];

  # Use GRUB2 as the boot loader.
  # We don't use systemd-boot because Hetzner uses BIOS legacy boot.
  boot.loader.systemd-boot.enable = false;
  boot.loader.grub = {
    enable = true;
    efiSupport = false;
    version = 2;
  };

  # This will mirror all UEFI files, kernels, grub menus and
  # things needed to boot to the other drive.
  boot.loader.grub.mirroredBoots = [
    { path = "/boot-1"; devices = [ "/dev/sda" ]; }
    { path = "/boot-2"; devices = [ "/dev/sdb" ]; }
  ];

  # We want to still be able to boot without one of these
  fileSystems."/boot-1".options = [ "nofail" ];
  fileSystems."/boot-2".options = [ "nofail" ];

  boot.initrd.luks.reusePassphrases = true;
  boot.initrd.luks.devices = {
    a_encrypted = {
      device = "/dev/sda3";
      preLVM = true;
    };
    b_encrypted = {
      device = "/dev/sdb3";
      preLVM = true;
    };
  };

  networking.hostName = hostName;

  # Network configuration (Hetzner uses static IP assignments, and we don't use DHCP here)
  networking.useDHCP = false;
  networking.interfaces.${networkInterface} = {
    ipv4 = { addresses = [{ address = ipv4.address; prefixLength = ipv4.prefixLength; }]; };
    ipv6 = { addresses = [{ address = ipv6.address; prefixLength = ipv6.prefixLength; }]; };
  };
  networking.defaultGateway = ipv4.gateway;
  networking.defaultGateway6 = { address = ipv6.gateway; interface = networkInterface; };
  networking.nameservers = [ "8.8.8.8" ];

  # Initial empty root password for easy login:
  users.users.root.initialHashedPassword = "";
  services.openssh.permitRootLogin = "prohibit-password";
  services.openssh.passwordAuthentication = false;

  environment.systemPackages = [ pkgs.mosh ];

  users.users.root.openssh.authorizedKeys.keys = [
    "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC6uza62+Go9sBFs3XZE2OkugBv9PJ7Yv8ebCskE5WYPcahMZIKkQw+zkGI8EGzOPJhQEv2xk+XBf2VOzj0Fto4nh8X5+Llb1nM+YxQPk1SVlwbNAlhh24L1w2vKtBtMy277MF4EP+caGceYP6gki5+DzlPUSdFSAEFFWgN1WPkiyUii15Xi3QuCMR8F18dbwVUYbT11vwNhdiAXWphrQG+yPguALBGR+21JM6fffOln3BhoDUp2poVc5Qe2EBuUbRUV3/fOU4HwWVKZ7KCFvLZBSVFutXCj5HuNWJ5T3RuuxJSmY5lYuFZx9gD+n+DAEJt30iXWcaJlmUqQB5awcB1S2d9pJ141V4vjiCMKUJHIdspFrI23rFNYD9k2ZXDA8VOnQE33BzmgF9xOVh6qr4G0oEpsNqJoKybVTUeSyl4+ifzdQANouvySgLJV/pcqaxX1srSDIUlcM2vDMWAs3ryCa0aAlmAVZIHgRhh6wa+IXW8gIYt+5biPWUuihJ4zGBEwkyVXXf2xsecMWCAGPWPDL0/fBfY9krNfC5M2sqxey2ShFIq+R/wMdaI7yVjUCF2QIUNiIdFbJL6bDrDyHnEXJJN+rAo23jUoTZZRv7Jq3DB/A5H7a73VCcblZyUmwMSlpg3wos7pdw5Ctta3zQPoxoAKGS1uZ+yTeZbPMmdbw=="
  ];

  services.openssh.enable = true;

  system.stateVersion = "21.05";

  # enable ssh on init
  # ------------------

  boot.kernelParams = [
    # See <https://www.kernel.org/doc/Documentation/filesystems/nfs/nfsroot.txt> for docs on this
    # ip=<client-ip>:<server-ip>:<gw-ip>:<netmask>:<hostname>:<device>:<autoconf>:<dns0-ip>:<dns1-ip>:<ntp0-ip>
    # The server ip refers to the NFS server -- we don't need it.
    "ip=${ipv4.address}::${ipv4.gateway}:${ipv4.netmask}:${hostName}-initrd:${networkInterface}:off:8.8.8.8"
  ];
  boot.initrd.availableKernelModules = [ networkInterfaceModule ];
  boot.initrd.network.enable = true;
  boot.initrd.network.ssh = {
    enable = true;
    authorizedKeys = config.users.users.root.openssh.authorizedKeys.keys;
    port = 2222;
    hostKeys = [
      /etc/secrets/initrd/ssh_host_rsa_key
      /etc/secrets/initrd/ssh_host_ed25519_key
    ];
  };

}