{ config, pkgs, ... }:

{
  imports =
    [ # Include the results of the hardware scan.
      ./hardware-configuration.nix
    ];

  # Bootloader.
  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;

  boot.initrd.luks.devices."luks-8a8e9f28-3ef1-4166-b736-04867468c375".device = "/dev/disk/by-uuid/8a8e9f28-3ef1-4166-b736-04867468c375";
  networking.hostName = "propus";

  # Set your time zone.
  time.timeZone = "Europe/London";

  # Select internationalisation properties.
  i18n.defaultLocale = "en_GB.UTF-8";

  # Configure console keymap
  console.keyMap = "uk";

  users.mutableUsers = false;
  users.users.gareth = {
    isNormalUser = true;
    description = "Gareth Pulham";
    hashedPassword = "$6$IKNWIVU4wyvwkBGw$wmvfMomW3GYqoR9ROVxIqr6.qc447j0bROe9Rt67iC.aezOoO9Pjz9PL29DoR0oWS.ptY2hiRUxUlDrlzgIW31";
    extraGroups = [ "networkmanager" "wheel" ];
    openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICu/pmMEubI8o32G1sYSCl5/H55iUQD5cpM8HbVbr71O gareth to propus" ];
    packages = with pkgs; [];
  };

  environment.variables.EDITOR="vim";

  # Allow unfree packages
  nixpkgs.config.allowUnfree = true;

  # List packages installed in system profile. To search, run:
  # $ nix search wget
  environment.systemPackages = with pkgs; [
    vim
    wireguard-tools
    btop
  ];

  # List services that you want to enable:

  # Enable the OpenSSH daemon.
  services.openssh.enable = true;

  networking.wireguard.interfaces = {
    gemini = {
      ips = [ "fded:cafe:babe:1::d8d/64" ];
      listenPort = 51820;
      privateKeyFile = "/root/wireguard-keys/gemini.privkey";
      peers = [{
        publicKey = "uQ36+e+ZYdM/zz+cprvTWDUNsQ+cvoA9BitRIPg44Bo=";
        allowedIPs = [ "fded:cafe:babe:1::/64" ];
        endpoint = "wasat.pulham.info:51820";
        persistentKeepalive = 20;
      }];
    };
  };

  # Enable networking
  networking.networkmanager.enable = true;

  networking = {
    interfaces = {
      enp11s0 = {
        ipv4.addresses = [{ address = "10.69.0.1"; prefixLength = 16; }];
      };
    };

    nat = {
      enable = true;
      externalInterface = "wlp13s0";
      internalInterfaces = [ "enp11s0" ];
    };
  };

  services.dnsmasq = {
    enable = true;
    settings = {
      server = [ "8.8.8.8" "1.1.1.1" ];
      domain-needed = true;
      bogus-priv = true;
      no-resolv = true;

      cache-size = 1000;

      dhcp-range = [ "enp11s0,10.69.1.100,10.69.1.254,24h" ];
      interface = "enp11s0";
      dhcp-host = "10.69.0.1";
      dhcp-option = [ "option:netmask,255.255.0.0"];

      local = "/lan/";
      domain = "lan";
      expand-hosts = true;
      no-hosts = true;
    };
  };

  # Open ports in the firewall.
  networking.firewall.allowedTCPPorts = [ 22 ];
  networking.firewall.allowedUDPPorts = [ 51820 67 ];
  networking.firewall.trustedInterfaces = [ "enp11s0" ];

  # Before changing this value read the documentation for this option
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
  system.stateVersion = "23.11"; # Did you read the comment?

}