{ config, lib, pkgs, ... }:
{
  imports = [
    ../config/mpd.nix
    ../config/borg-backup.nix
    ../config/common.nix
    ../config/users.nix
    ../config/weechat.nix
    ../config/dns.nix
    ../config/hydra.nix
    ../config/web-server.nix
    ../config/cgit.nix
    ../config/mail-server.nix
    ../config/munin-node.nix
    ../config/munin-master.nix
    ../config/vpn-server.nix
    ../config/terraria.nix
  ];

  environment.systemPackages = with pkgs; [ ipmitool ];

  virtualisation.lxd.enable = true;
  security.apparmor = {
    enable = true;
    profiles = [
      "${pkgs.lxc}/etc/apparmor.d/usr.bin.lxc-star" 
      "${pkgs.lxc}/etc/apparmor.d/lxc-containers"
    ];
    packages = [ pkgs.lxc ];
  };

  containers.kick = {
    autoStart = true;
    hostBridge = "br0";
    privateNetwork = true;
    config = { config, pkgs, ... }: {
      system.activationScripts = {
        resolvconf = {
          text = ''
	    chmod +w /etc/resolv.conf
	    echo nameserver 2001:4860:4860::8888 >> /etc/resolv.conf
	    chmod -w /etc/resolv.conf
	  '';
	};
      };
      networking.firewall.allowedTCPPorts = [ 80 443 ];
      networking.nameservers = [ "2001:4860:4860::8888" "2001:4860:4860::8844" ];
      services.nginx = {
        enable = true;
	virtualHosts = {
          "kick.orbekk.no" = {
	    enableACME = true;  
	  };
	};
      };
      environment.systemPackages = [
        pkgs.simp_le
      ];
      nixpkgs.config.packageOverrides = pkgs: {
        simp_le = pkgs.stdenv.mkDerivation {
          name = "simp_le";
	  nativeBuildInputs = [ pkgs.makeWrapper ];
	  buildCommand = ''
	    mkdir -p $out/bin
	    makeWrapper "${pkgs.simp_le}/bin/simp_le" $out/bin/simp_le \
	      --add-flags "--server https://api.buypass.com/acme/directory" \
	      --add-flags "--email kj@orbekk.com" \
	      --add-flags "--tos_sha256 07c2ac41aff33fe06e27447ea592c503f22967fd43b0e8500cbc8452f28a4bf1"
	  '';  
	};
      };
    };
  };

  boot = {
    kernelParams = [ "console=tty0" ''console="ttyS0,115200n8"'' ];
    kernel.sysctl = {
      "net.ipv4.conf.all.forwarding" = true;
      "net.ipv6.conf.all.forwarding" = true;
      "net.ipv6.conf.br0.accept_ra" = 2;
    };
    
    loader.grub.extraConfig = ''
      GRUB_TERMINAL="serial"
      GRUB_SERIAL_COMMAND="serial --speed=115200 --unit=0 --word=8 --parity=no --stop=1"
    '';
    loader.grub.enable = true;
    loader.grub.version = 2;
    loader.grub.devices = ["/dev/sda" "/dev/sdb"];
  };
  
  networking = {
    hostName = lib.mkForce "dragon";

    firewall.allowPing = true;
    firewall.checkReversePath = "loose";

    bridges = {
      br0 = {
        interfaces = ["eno2"];
      };
    };

    # interfaces.br0.ip6 = [
    #   # { address = "2001:470:8e2e:20:eca0:41ff:feef:92"; prefixLength = 64; }
    #   { address = "2001:470:8e2e:20::d"; prefixLength = 64; }
    # ];

    # Managed with dhcpv6 now.
    # localCommands = ''
    #   sleep 10
    #   echo setting up routes
    #   ip -6 addr add 2001:470:8e2e:20::d/64 dev br0 || true
    #   ip -6 route replace default via fe80::822a:a8ff:fe4d:f5d6 dev br0 metric 0 src 2001:470:8e2e:20::d || true
    #   ip route replace default via 10.0.20.1 dev br0 metric 0 || true
    # '';
  };

  services = {
    openssh = {
      enable = lib.mkDefault true;
      passwordAuthentication = false;
    };
  };

  fileSystems = {
    "/storage" = {
      device = "/dev/sda3";
      fsType = "btrfs";
      options = [ "subvol=storage" ];
    };
    "/staging" = {
      device = "/dev/sda3";
      fsType = "btrfs";
      options = [ "subvol=staging" ];
    };
  };

  system.stateVersion = lib.mkForce "17.09";
}