# To recover/repeat this monstrosity:
# - Comment out the digital-ocean-image.nix import
# - Build qcow2 image with `nixos-rebuild build-image --image-variant digital-ocean --flake ".#fortress"`
# - Convert image output from .qcow2.gz to .img.zst
# - Pipe the .img.zst over ssh into dd on the "Recovery ISO" environment of the droplet
# - Resize the partition and reboot
# - ????
# - Profit
{ lib, config, pkgs, inputs, ... }: {
  imports = [
    # NOTE: This has to be uncommented to rebuild on a live system, but commented for build-image to work.
    "${inputs.nixpkgs}/nixos/modules/virtualisation/digital-ocean-image.nix"

    # Core Features
    ../../nixos/features/base.nix
    ../../nixos/features/tui-apps.nix
    ../../nixos/features/openssh-server.nix

    # Core Tweaks
    ../../nixos/tweaks/zram.nix
    ../../nixos/tweaks/enable_flakes.nix
    ../../nixos/tweaks/systemd-resolved_nonsense.nix

    # Users
    ../../users/lauren_lagarde/lauren_lagarde.nix

    # Additional Software
    ../../nixos/tweaks/disable_firewall.nix
    #../../nixos/features/virtualization/dockge.nix
    ../../nixos/features/virtualization/docker.nix
  ];

  ##############################################################################
  ##############################################################################
  ##############################################################################
  # Services

  services.smartd.enable = lib.mkForce false;

  sops.secrets = {
    "dotspace/pki/lagarde.dev.pem" = {};
    "dotspace/pki/mlaga97.space.pem" = {};
    "dotspace/pki/bauble.boutique.pem" = {};

    "dotspace/fortress/keys/wireguard.priv" = {
      sopsFile = ./secrets.yaml;
    };
    "dotspace/fortress/keys/tinc/rsa_key.priv" = {
      sopsFile = ./secrets.yaml;
    };
    "dotspace/fortress/keys/tinc/ed25519_key.priv" = {
      sopsFile = ./secrets.yaml;
    };
  };

  ##############################################################################
  ##############################################################################
  ##############################################################################
  # Networking
  
  networking.nameservers = [
    "67.207.67.3"
    "67.207.67.2"
    "2001:4860:4860::8844"
    "2001:4860:4860::8888"
  ];

  networking.useNetworkd = true;
  systemd.network = {
    enable = true;

    # Public IP
    networks."30-ens3" = {
      matchConfig.PermanentMACAddress = "c2:6c:55:d5:99:6a";
      address = [
        "68.183.54.8/20"
        "10.17.0.6/16"
        "2604:a880:800:10::d60:9001/64"
      ];
      routes = [
        { Gateway = "68.183.48.1"; }
        {
          Destination = "2604:a880:800:10::1";
          Scope = "link";
          Metric = 100;
        }
        {
          Gateway = "2604:a880:800:10::1";
          GatewayOnLink = true;
          Metric = 100;
        }
      ];
    };

    # Private IP
    networks."30-ens4" = {
      matchConfig.PermanentMACAddress = "5a:b1:f4:39:a2:87";
      address = [ "10.132.86.139/16" ];
    };
  };
}