{ config, lib, pkgs, ... }:

{
  # Options that affect multiple modules
  options.sbruder = {
    full = lib.mkOption {
      type = lib.types.bool;
      description = ''
        Whether to build the full system. If disabled, the system closure will
        be smaller, but some features will not be available.
      '';
      default = true;
    };
    trusted = (lib.mkEnableOption "the trusted status of this machine (i.e. encrypted root)") // { default = true; };
    gui.enable = lib.mkEnableOption "gui";
  };

  # All modules are imported but non-essential modules are activated by
  # configuration options
  imports = [
    ../pkgs/modules.nix
    ./cups.nix
    ./docker.nix
    ./fonts.nix
    ./games.nix
    ./grub.nix
    ./gui.nix
    ./initrd-ssh.nix
    ./locales.nix
    ./mailserver.nix
    ./media-proxy.nix
    ./mullvad
    ./network-manager.nix
    ./nginx-interactive-index
    ./nginx.nix
    ./nix.nix
    ./office.nix
    ./prometheus/node_exporter.nix
    ./pubkeys.nix
    ./pipewire.nix
    ./restic
    ./secrets.nix
    ./ssh.nix
    ./tools.nix
    ./udev.nix
    ./unfree.nix
    ./wireguard
  ];

  config = lib.mkMerge [
    {
      # Essential system tools
      environment.systemPackages = with pkgs; [
        git
        git-crypt # used to store secrets in configuration
        git-lfs # not so essential, but required to clone config
        htop
        tmux
        vim
      ];

      # Clean temporary files on boot
      boot.cleanTmpDir = true;

      # Set zsh as default shell
      programs.zsh.enable = true;
      users.defaultUserShell = pkgs.zsh;
      environment.etc."zshrc.local".source = "${pkgs.grml-zsh-config}/etc/zsh/zshrc";

      # command-not-found does not work without channels
      programs.command-not-found.enable = false;

      # Hard drive monitoring
      services.smartd.enable = lib.mkDefault true;
      # Network monitoring
      services.vnstat.enable = true;

      # Support for exotic file systems
      boot.supportedFilesystems = lib.optional config.sbruder.full "ntfs";

      # Authentication/Encryption agents
      programs.gnupg.agent.enable = true;
      programs.ssh.startAgent = true;

      # When this is set to true (default), routing everything through a
      # wireguard tunnel does not work.
      networking.firewall.checkReversePath = false;

      # Open ports for quick tests
      networking.firewall = {
        allowedTCPPortRanges = lib.singleton { from = 9990; to = 9999; };
        allowedUDPPortRanges = lib.singleton { from = 9990; to = 9999; };
      };

      # Globally set Let’s Encrypt requirements
      security.acme = {
        acceptTerms = true;
        email = "security@sbruder.de";
      };

      system.activationScripts.diff = ''
        [ -L /run/current-system ] && ${pkgs.nixUnstable}/bin/nix \
            --experimental-features 'nix-command' \
            store \
            diff-closures /run/current-system "$systemConfig"
      '';
    }
    (lib.mkIf config.sbruder.full {
      services.fwupd.enable = true;
    })
    (lib.mkIf (!config.sbruder.full) {
      # Adapted from nixpkgs/nixos/modules/profiles/minimal.nix
      i18n.supportedLocales = map
        (locale: locale + "/UTF-8")
        ((lib.singleton config.i18n.defaultLocale)
          ++ (lib.attrValues config.i18n.extraLocaleSettings));

      documentation.enable = lib.mkDefault false;
    })
  ];
}