# Edit this configuration file to define what should be installed on
# your system.  Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running ‘nixos-help’).

{ config, pkgs, ... }:

{
  imports = [
    ../common-cli.nix
    ./hardware-configuration.nix
    ./users.nix
    ./services.nix
  ];

  nix.trustedUsers = [ "root" "paul" ];

  boot = {
    loader = {
      systemd-boot.enable = true;
      efi.canTouchEfiVariables = true;
    };

    supportedFilesystems = [ "zfs" ];

    tmpOnTmpfs = true;
  };

  documentation.nixos.enable = false;

  nixpkgs.config.allowUnfree = false;
  nixpkgs.config.allowUnfreePredicate = (pkg: builtins.elem pkg.pname or (builtins.parseDrvName pkg.name).name [ "factorio-headless" "perl5.32.1-slimserver" "minecraft-server" ]);

  services.zfs = {
    autoSnapshot.enable = true;
    autoScrub.enable = true;
  };

  hardware.usbWwan.enable = true;

  # eno1 -> VLAN100 -> Internet
  # eno2 -> LAN
  # eno3 -> Legacy client DHCP
  # eno4 -> Pas utilisé

  networking = {
    hostName = "loutreos"; # Define your hostname.
    hostId = "7e66e347";

    useNetworkd = true;
    useDHCP = false;

    vlans = {
      bouygues = {
        id = 100;
        interface = "eno1";
      };
      chinoiseries = {
        id = 20;
        interface = "eno2";
      };
    };

    interfaces = {
      bouygues = {
        # Adresse MAC BBox ? https://lafibre.info/remplacer-bbox/informations-de-connexion-ftth/msg598303/#msg598303
        macAddress = "E8:AD:A6:21:73:68";
        useDHCP = true;
      };
      eno2 = {
        ipv4.addresses = [
          { address = "10.30.0.1"; prefixLength = 16; }
        ];
      };
      chinoiseries = {
        ipv4.addresses = [
          { address = "10.40.0.1"; prefixLength = 16; }
        ];
      };
      enp0s21u2.useDHCP = true;
    };

    # NAT bouygues <-> eno2
    nat = {
      enable = true;
      externalInterface = "bouygues";
      # Permet d'utiliser le SNAT plus rapide au lieu de MASQUERADE
      # externalIP = "0.0.0.0";
      internalIPs = [ "10.30.0.0/16" "10.40.0.0/16" ];
      internalInterfaces = [ "eno2" "chinoiseries" ];
      forwardPorts = [
        { destination = "10.30.0.1:22"; proto = "tcp"; sourcePort = 8443;}
        { destination = "10.30.135.35:25565"; proto = "tcp"; sourcePort = 25565; loopbackIPs=[ "195.36.180.44" ];}
      ];
    };

    firewall = {
      allowedTCPPorts = [ 80 443 ];
      allowedUDPPorts = [ ];
      interfaces.eno2 = {
        allowedTCPPorts = [
          111 2049 4000 4001 4002 # NFS
          3483 9000 9090 # Slimserver
          1935 # RTMP
        ];
        allowedUDPPorts = [
          111 2049 4000 4001 4002 # NFS
          3483 # Slimserver
        ];
      };
      enable = true;
    };
  };

  systemd.network.networks = {
    "40-bouygues" = {
      dhcpV4Config.RouteMetric = 1;
      networkConfig.KeepConfiguration = "dhcp-on-stop";
    };
    "40-enp0s21u2".dhcpV4Config.RouteMetric = 1024;
  };

  services.dhcpd4 = {
    enable = true;
    interfaces = [ "eno2" "chinoiseries" ];
    machines = [
      { ethernetAddress = "50:c7:bf:b6:b8:ef"; hostName = "HS110"; ipAddress = "10.30.50.7"; }
      { ethernetAddress = "ac:1f:6b:4b:01:15"; hostName = "IPMI"; ipAddress = "10.30.1.1"; }
      { ethernetAddress = "b4:2e:99:ed:24:26"; hostName = "paul-fixe"; ipAddress = "10.30.50.1"; }

      #ESPHome
      { ethernetAddress = "e0:98:06:85:e9:ce"; hostName = "salonled"; ipAddress = "10.30.40.1"; }
      { ethernetAddress = "e0:98:06:86:38:fc"; hostName = "bureauled"; ipAddress = "10.30.40.2"; }
      { ethernetAddress = "50:02:91:78:be:be"; hostName = "guirlande"; ipAddress = "10.30.40.3"; }

      # YeeLights
      { ethernetAddress = "04:cf:8c:b5:7e:18"; hostName = "yeelink-light-color3_miap7e18"; ipAddress = "10.40.249.0"; }
      { ethernetAddress = "04:cf:8c:b5:2d:28"; hostName = "yeelink-light-color3_miap2d28"; ipAddress = "10.40.249.1"; }
      { ethernetAddress = "04:cf:8c:b5:71:04"; hostName = "yeelink-light-color3_miap7104"; ipAddress = "10.40.249.2"; }
    ];
    extraConfig = ''
      option domain-name-servers 89.234.141.66, 80.67.169.12, 80.67.169.40;
      option subnet-mask 255.255.0.0;
      subnet 10.30.0.0 netmask 255.255.0.0 {
        option routers 10.30.0.1;
        range 10.30.100.0 10.30.200.0;
      }
      subnet 10.40.0.0 netmask 255.255.0.0 {
        option routers 10.40.0.1;
        range 10.40.100.0 10.40.200.0;
      }
    '';
  };

  nixpkgs.overlays = [
    (import ../../overlays/riot-web.nix)
  ];

  services.openssh = {
    enable = true;
    permitRootLogin = "no";
    passwordAuthentication = false;
    forwardX11 = true;
  };

  users = {
    groups.autossh = { };
    users.autossh = {
      home = "/home/autossh";
      createHome = true;
      group = "autossh";
      isSystemUser = true;
    };
  };

  services.autossh.sessions = [ { extraArguments = "-N -R 0.0.0.0:2222:127.0.0.1:22 loutre@vps772619.ovh.net"; monitoringPort = 20000; name = "backup-ssh-reverse"; user = "autossh"; } ];

  virtualisation.podman.enable = true;

  security.sudo.wheelNeedsPassword = false;

  system.stateVersion = "18.03";
}