home/hosts/odin/default.nix

{ inputs, outputs, pkgs, lib, config, ... }:
{
  imports = [
    inputs.nixos-facter-modules.nixosModules.facter
    { config.facter.reportPath = ./facter.json; }

    outputs.modules.global.nix-config
    inputs.sops-nix.nixosModules.sops
    inputs.impermanence.nixosModules.impermanence
    inputs.disko.nixosModules.disko

    ./disko.nix
    # ./services
  ];

  # System identification
  networking.hostName = "odin";
  networking.useDHCP = lib.mkDefault true;

  sops.defaultSopsFile = ./secrets.yaml;
  sops.secrets."thomas/password".neededForUsers = true;
  sops.secrets."nullmailer/remotes".owner = config.services.nullmailer.user;


  # Boot configuration
  boot = {
    # Use systemd-boot for UEFI systems
    loader = {
      systemd-boot.enable = true;
      efi.canTouchEfiVariables = true;
      grub.devices = [ config.disko.devices.disk.main.device ];
      timeout = 3;
    };

    # Kernel parameters for server workload
    kernelParams = [ "rootflags=compress=zstd:1,noatime" ];
    kernelModules = [ "nct6775" ];

    # Enable KSM for memory efficiency with containers
    kernel.sysctl = {
      "kernel.sysrq" = 1;
      "vm.swappiness" = 10;
      "net.core.default_qdisc" = "cake";
    };

    # Impermanence: reset root on boot
    initrd.postDeviceCommands = lib.mkAfter ''
      DEVICE=${config.disko.devices.disk.main.device}-part2

      mkdir -p /mnt
      mount -o subvol=/ $DEVICE /mnt

      # Create a directory for old roots if it doesn't exist
      mkdir -p /mnt/old-roots

      # Move current root to old-roots with timestamp if it exists
      if [[ -e /mnt/@root && ! -e /mnt/@root-blank ]]; then
        timestamp=$(date --date="@$(stat -c %Y /mnt/@root)" "+%Y-%m-%d_%H:%M:%S")
        mv /mnt/@root "/mnt/old-roots/@root-$timestamp"
      fi

      # Function to recursively delete subvolumes
      delete_subvolume_recursively() {
        for i in $(btrfs subvolume list -o "$1" | cut -f 9- -d ' '); do
          delete_subvolume_recursively "/mnt/$i"
        done
        btrfs subvolume delete "$1"
      }

      # Delete old roots older than 30 days
      for i in $(find /mnt/old-roots/ -maxdepth 1 -mtime +30); do
        delete_subvolume_recursively "$i"
      done

      # Create fresh root from blank if needed or create blank if it doesn't exist
      if [[ -e /mnt/@root-blank ]]; then
        btrfs subvolume delete /mnt/@root || true
        btrfs subvolume snapshot /mnt/@root-blank /mnt/@root
      else
        btrfs subvolume create /mnt/@root-blank
        btrfs subvolume create /mnt/@root
      fi

      umount /mnt
    '';
  };

  hardware = {
    fancontrol = {
      enable = true;
      config = ''
        INTERVAL=10
        DEVPATH=hwmon1=devices/pci0000:00/0000:00:02.2/0000:04:00.0/nvme/nvme0 hwmon2=devices/platform/nct6775.656
        DEVNAME=hwmon1=nvme hwmon2=nct6798
        FCTEMPS=hwmon2/pwm7=hwmon1/temp1_input hwmon2/pwm2=hwmon1/temp1_input
        FCFANS=hwmon2/pwm7=hwmon2/fan7_input hwmon2/pwm2=hwmon2/fan2_input
        MINTEMP=hwmon2/pwm7=30 hwmon2/pwm2=30
        MAXTEMP=hwmon2/pwm7=60 hwmon2/pwm2=60
        MINSTART=hwmon2/pwm7=95 hwmon2/pwm2=150
        MINSTOP=hwmon2/pwm7=75 hwmon2/pwm2=0
      '';
    };
  };

  # Services configuration
  services = {
    # Drive power management and fan control
    hddfancontrol = {
      enable = true;
      settings = {
        harddrives =
          let
            devices = config.disko.devices.disk;
          in
          {
            disks = [
              devices.storage1.device
              devices.storage2.device
              devices.storage3.device
            ];
            pwmPaths = [
              "/sys/class/hwmon/hwmon2/pwm1:20:0"
              "/sys/class/hwmon/hwmon2/pwm4:80:60"
            ];
            logVerbosity = "DEBUG";
            extraArgs = [
              "--min-fan-speed-prct=0"
            ];
          };
      };
    };

    openssh = {
      enable = true;
      openFirewall = true;
      settings = {
        PasswordAuthentication = false;
        PermitRootLogin = "no";
        X11Forwarding = false;
      };
    };

    # System monitoring
    smartd = {
      enable = true;
      autodetect = true;
      notifications.test = true;
      notifications.mail.enable = true;
      notifications.mail.sender = "[email protected]";
      notifications.mail.recipient = "I <[email protected]>";
    };

    nullmailer = {
      enable = true;
      setSendmail = true;
      remotesFile = config.sops.secrets."nullmailer/remotes".path;
      config = {
        me = "odin.t5.st";
        defaulthost = "odin.t5.st";
        defaultdomain = "odin.t5.st";
        allmailfrom = "[email protected]";
        adminaddr = "[email protected]";
      };
    };

    # Time synchronization
    timesyncd.enable = true;

    # Btrfs maintenance
    btrfs.autoScrub = {
      enable = true;
      interval = "monthly";
      fileSystems = [ "/" ];
    };

    # Drive spin-down management
    # hdparm.devices = [
    #   {
    #     device = "/dev/disk/by-id/ata-ST8000VN002-2ZM188_WPV023WG";
    #     spindownTime = 120; # 10 minutes
    #     apmLevel = 127;
    #   }
    #   {
    #     device = "/dev/disk/by-id/ata-ST8000VN002-2ZM188_WPV07RMA";
    #     spindownTime = 120;
    #     apmLevel = 127;
    #   }
    #   {
    #     device = "/dev/disk/by-id/ata-ST8000VN002-2ZM188_WPV020CG";
    #     spindownTime = 120;
    #     apmLevel = 127;
    #   }
    # ];
  };

  # # Container runtime
  # virtualisation = {
  #   docker = {
  #     enable = true;
  #     storageDriver = "btrfs";
  #     autoPrune = {
  #       enable = true;
  #       dates = "weekly";
  #       flags = [ "--all" "--force" "--volumes" ];
  #     };
  #   };
  # };

  # System packages
  environment.systemPackages = with pkgs; [
    # System utilities
    htop
    btop
    iotop
    lsof
    pciutils
    usbutils

    # Network tools
    curl
    wget
    rsync

    # File system tools
    btrfs-progs
    xfsprogs
    smartmontools
    hdparm

    # # Container tools
    # docker-compose

    # Storage management
    snapraid
    mergerfs

    # Monitoring
    lm_sensors
    nvme-cli
  ];

  # User configuration
  users = {
    mutableUsers = false; # Declarative user management
    users = {
      # Main user account
      thomas = {
        isNormalUser = true;
        extraGroups = [ "wheel" "users" ];
        hashedPasswordFile = config.sops.secrets."thomas/password".path;
        openssh.authorizedKeys.keys = [
          "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC5o7LT5wPYWgI8Mvr6RKOv+BcsbQgU7PCw2hheVu17alwF1uFUsAYV5BVQu+uv9uEm/UDsCNhfM6TwI0A1prdmtBz4pKiwXbj7fcdp6DcVOgTsPfawbXEpivtJvlhEatyTsR26MjHKnqpT0BxPvj6Ug6pvRkCYW5d2bWXiY9murmAX6Q5kSyNunkB8PdRTH+S47f7eOdCJY63VBOkkiG8M7XyPwFCDTYiHhbMZcejIdY9mB6kYnMQVRHDznQWiQxrcaE1fD/TY3db9GDcOVoo2aDBOZX7WT2+me67sU8dEK9+nSyhWDzBbEs8knu87ZlKPFwhl4slenRniKhbf22OpicXArtEcjEj0GyDJH5e+ZCIQ4eSQanA7TxnKFlDuaf+Qqx55UT+ya4vJJeik7nkzbRHaE9IoWhhiOaOnaN6kHIxuxB6z7EL3Gk7f78+I/qBaj5df6fgnXM3JBXKa5bRH2wqoSetJAo6EGpEgmU2huB1ktiGlO7BlF5XwSw6cb/KT7NSIXhncgLkCzsDVXxecVQv1FnPISBcp3+ti01ADVf2trgpPDbNTWV40Rgiefie0o2fc6KWAFfum1j5N3WWU+XVVmRjDmKKHiEJBLNKDAe0rQf+tryPW4c5GIN7aFoB+8dYFAuUyLd7Fu3vhZdmcckN5ryHunEc0dKPIiuoVZw=="
        ];
      };
    };
  };

  # Persistent directories for impermanence
  fileSystems."/persist".neededForBoot = true;
  environment.persistence."/persist" = {
    hideMounts = true;
    directories = [
      "/etc/nixos"
      "/etc/ssh"
      "/var/lib/nixos"
      "/var/lib/systemd"
      "/srv"
    ];
    files = [
      "/etc/machine-id"
    ];
    users.thomas = {
      directories = [
        ".ssh"
        ".config"
      ];
    };
  };

  # System state version
  system.stateVersion = "25.05";
}