# Edit this configuration file to define what should be installed on
# your system.  Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running ‘nixos-help’).

{ config, pkgs, ... } @ args:

# Configuration local for this cluster node (hostname, IP, etc)
{
  imports =
    [ # Include the results of the hardware scan.
      ./hardware-configuration.nix
      # Include generic Deuxfleurs module
      ./deuxfleurs.nix
      # Wesher module
      ./wesher_service.nix
      # Configuration for this deployment (a cluster)
      ./cluster.nix
      # Configuration local for this Deuxfleurs site (set of nodes)
      ./site.nix
      # Configuration local for this cluster node (hostname, IP, etc)
      ./node.nix
    ];

  nixpkgs.overlays = [
    (import ./wesher.nix)
  ];

  # The global useDHCP flag is deprecated, therefore explicitly set to false here.
  # Per-interface useDHCP will be mandatory in the future, so this generated config
  # replicates the default behaviour.
  networking.useDHCP = false;

  # Set your time zone.
  time.timeZone = "Europe/Paris";

  # Select internationalisation properties.
  # i18n.defaultLocale = "en_US.UTF-8";
  console = {
    font = "sun12x22";
    keyMap = "fr";
  };

  boot.kernel.sysctl = {
    "vm.max_map_count" = 262144;
  };

  services.journald.extraConfig = ''
SystemMaxUse=1G
  '';

  # List packages installed in system profile. To search, run:
  # $ nix search wget
  environment.systemPackages = with pkgs; [
    nmap
    bind
    inetutils
    pciutils
    vim
    tmux
    ncdu
    iotop
    jnettop
    nethogs
    wget
    htop
    smartmontools
    links
    git
    rclone
    docker
    docker-compose
    wesher
  ];

  programs.vim.defaultEditor = true;

  # Enable network time
  services.ntp.enable = true;

  # Enable the OpenSSH daemon and disable password login.
  services.openssh.enable = true;
  services.openssh.passwordAuthentication = false;

  services.wesher = {
    enable = true;
    join = [ "192.168.1.22" "192.168.1.23" ];
    bindAddr = config.deuxfleurs.lan_ip;  # for now
    overlayNet = "10.14.0.0/16";
  };

  # ---- CONFIG FOR DEUXFLEURS CLUSTER ----

  # Open ports in the firewall.
  networking.firewall = {
    enable = true;

    # Allow anyone to connect on SSH port
    allowedTCPPorts = [
      (builtins.head ({ openssh.ports = [22]; } // config.services).openssh.ports)
    ];

    # Allow specific hosts access to specific things in the cluster
    extraCommands = ''
      # Allow everything from router (usefull for UPnP/IGD)
      iptables -A INPUT -s 192.168.1.254 -j ACCEPT

      # Allow docker containers to access all ports
      iptables -A INPUT -s 172.17.0.0/16 -j ACCEPT

      # Allow other nodes on VPN to access all ports
      iptables -A INPUT -s 10.42.0.0/16 -j ACCEPT
    '';

    # When stopping firewall, delete all rules that were configured manually above
    extraStopCommands = ''
      iptables -D INPUT -s 192.168.1.254 -j ACCEPT
      iptables -D INPUT -s 172.17.0.0/16 -j ACCEPT
      iptables -D INPUT -s 10.42.0.0/16 -j ACCEPT
    '';
  };

  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions
  # on your system were taken. It‘s perfectly fine and recommended to leave
  # this value at the release version of the first install of this system.
  # Before changing this value read the documentation for this option
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
  system.stateVersion = "21.05"; # Did you read the comment?
}