# This is your system's configuration file.
# Use this to configure your system environment (it replaces /etc/nixos/configuration.nix)
{
  inputs,
  outputs,
  lib,
  pkgs,
  config,
  ...
}: {
  # You can import other NixOS modules here
  imports = [
    # Import home-manager's NixOS module
    inputs.home-manager.nixosModules.home-manager
    # If you want to use modules your own flake exports (from modules/nixos):
    # outputs.nixosModules.example

    # Or modules from other flakes (such as nixos-hardware):
    # inputs.hardware.nixosModules.common-cpu-amd
    # inputs.hardware.nixosModules.common-ssd

    # You can also split up your configuration and import pieces of it here:
    # ./users.nix

    ../../desktop

    ../../../disko/EDI

    # Import your generated (nixos-generate-config) hardware configuration
    ./hardware-configuration.nix
  ];

  sops.defaultSopsFile = ./secrets/sops.yaml;

  home-manager = {
    extraSpecialArgs = {inherit inputs outputs;};
    users = {
      # Import your home-manager configuration
      lillian = import ../../../home-manager/hosts/EDI;
    };
  };

  environment.systemPackages = with pkgs; [
  ];

  networking.hostName = "EDI";

  sops.secrets."wg-private-key".mode = "0440";
  sops.secrets."wg-private-key".owner = config.users.users.root.name;

  networking.wireguard.enable = true;

  networking.wg-quick.interfaces = {
    wg0 = {
      autostart = true;
      address = ["10.0.0.3/24" "fdc9:281f:04d7:9ee9::3/64"];
      dns = ["10.0.0.1" "fdc9:281f:04d7:9ee9::1"];
      listenPort = 51821;
      privateKeyFile = config.sops.secrets."wg-private-key".path;
      peers = [
        {
          publicKey = "A02sO7uLdgflhPIRd0cbJONIaPP4z8HTxDkmX4NegFg=";
          endpoint = "84.87.146.85:51821";
          allowedIPs = ["0.0.0.0/0" "::/0"];
          persistentKeepalive = 25;
        }
      ];
    };
  };

  # Lanzaboote currently replaces the systemd-boot module.
  # This setting is usually set to true in configuration.nix
  # generated at installation time. So we force it to false
  # for now.
  boot.loader.systemd-boot.enable = lib.mkForce false;
  boot.initrd.systemd.enable = true;

  boot.lanzaboote = {
    enable = true;
    pkiBundle = "/etc/secureboot";
  };

  # https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion
  system.stateVersion = "24.11";
}