{ config, lib, pkgs, ... }: {

  environment.etc."gitconfig".text = ''
    [safe]
    	directory = *
  '';

  networking.firewall.allowedTCPPorts = [ 2049 ];

  security.acme = {
    acceptTerms = true;
    certs."arrakis.bitgnome.net".postRun = ''
      ${pkgs.acl}/bin/setfacl -m u:postfix:--x /var/lib/acme/arrakis.bitgnome.net
      ${pkgs.acl}/bin/setfacl -m u:postfix:r-- /var/lib/acme/arrakis.bitgnome.net/{fullchain,key}.pem
      ${pkgs.systemd}/bin/systemctl reload postfix.service
    '';
    defaults.email = "nipsy@bitgnome.net";
  };

  services = {

    avahi = {
      enable = true;
      nssmdns4 = true;
      openFirewall = true;
    };

    cgit = {
      "arrakis.bitgnome.net" = {
        enable = true;
        nginx.location = "/nipsy/git/";
        scanPath = "/home/nipsy/www/git";
        settings = {
          about-filter = "${pkgs.cgit}/lib/cgit/filters/about-formatting.sh";
          branch-sort = "age";
          clone-url = "https://$HTTP_HOST$SCRIPT_NAME/$CGIT_REPO_URL";
          css = "/nipsy/git/cgit.css";
          enable-commit-graph = true;
          enable-follow-links = true;
          enable-git-config = true;
          enable-index-links = true;
          enable-log-filecount = true;
          enable-log-linecount = true;
          logo = "/nipsy/git/cgit.png";
          max-stats = "quarter";
          mimetype-file = "${pkgs.mailcap}/etc/mime.types";
          readme = ":README.md";
          remove-suffix = 1;
          root-desc= "Dune.  Desert planet.";
          root-title = "Spice Factory";
          snapshots = "all";
          source-filter = "${pkgs.cgit}/lib/cgit/filters/syntax-highlighting.py";
        };
      };
    };

    clamav.updater.enable = true;

    cron.enable = true;

    dictd.enable = true;

    iperf3.openFirewall = true;

    jellyfin = {
      enable = true;
      package = pkgs.master.jellyfin;
    };

    nfs = {
      server = {
        enable = true;
        exports = ''
          /srv/nfs	192.168.1.0/24(ro,all_squash,insecure,crossmnt,subtree_check,fsid=0)
        '';
      };
      settings = {
        nfsd = {
          udp = false;
          vers2 = false;
          vers3 = false;
          vers4 = true;
        };
      };
    };

    nginx = let

      sys = lib.nixosSystem {
        system = "x86_64-linux";

        modules = [
          ({ config, pkgs, lib, modulesPath, ... }: {
            imports = [ (modulesPath + "/installer/netboot/netboot-minimal.nix") ];

            config = {
              environment.systemPackages = with pkgs; [
                git
              ];

              nix.settings.experimental-features = [ "nix-command" "flakes" ];

              services.openssh = {
                enable = true;
                openFirewall = true;

                settings = {
                  PasswordAuthentication = false;
                  KbdInteractiveAuthentication = false;
                };
              };

              users.users = {
                nixos.openssh.authorizedKeys.keys = [ (builtins.readFile ../common/users/nipsy/keys/id_arrakis.pub) ];
                root.openssh.authorizedKeys.keys = [ (builtins.readFile ../common/users/nipsy/keys/id_arrakis.pub) ];
              };
            };
          })
        ];
      };

      build = sys.config.system.build;

    in {
      appendHttpConfig = ''
        geo $geo {
        	default 0;
        	127.0.0.1 1;
        	::1 1;
        	192.168.1.0/24 1;
        }
      '';
      enable = true;

      # Use recommended settings
      recommendedGzipSettings = true;
      recommendedOptimisation = true;
      #recommendedProxySettings = true;
      recommendedTlsSettings = true;

      # Only allow PFS-enabled ciphers with AES256
      sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";

      virtualHosts = {
        "arrakis.bitgnome.net" = {
          addSSL = true;
          enableACME = true;

          extraConfig = ''
            if ($geo = 0) {
            	return 301 https://$host$request_uri;
            }
          '';

          locations = {
            "= /boot/bzImage" = {
              alias = "${build.kernel}/bzImage";
            };

            "= /boot/initrd" = {
              alias = "${build.netbootRamdisk}/initrd";
            };

            "= /boot/netboot.ipxe" = {
              alias = "${build.netbootIpxeScript}/netboot.ipxe";
            };

            "/" = {
              tryFiles = "$uri $uri/ =404";
            };

            "/jellyfin" = {
              return = "302 $scheme://$host/jellyfin/";
            };

            "/jellyfin/" = {
              extraConfig = ''
                proxy_pass_request_headers on;
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto $scheme;
                proxy_set_header X-Forwarded-Host $http_host;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection $http_connection;
                proxy_buffering off;

                # CORS setup
                add_header 'Access-Control-Allow-Origin' '*' always;
                add_header 'Access-Control-Expose-Headers' 'Content-Length';

                # Allow CORS preflight requests
                if ($request_method = 'OPTIONS') {
                	add_header 'Access-Control-Allow-Origin' '*';
                	add_header 'Access-Control-Max-Age' 1728000;
                	add_header 'Content-Type' 'text/plain charset=UTF-8';
                	add_header 'Content-Length' 0;
                	return 204;
                }
              '';
              proxyPass = "http://192.168.1.2:8096/jellyfin/";

            };

            "/nipsy" = {
              extraConfig = ''
                autoindex on;
              '';
              tryFiles = "$uri $uri/ =404";
            };
          };

          root = "/var/www";
        };
      };
    };

    postfix = let my_email = "nipsy@bitgnome.net"; in {
      enable = true;
      extraAliases = ''
        nipsy: ${my_email}
      '';
      hostname = "${config.networking.hostName}.${config.networking.domain}";
      relayHost = "mail.bitgnome.net";
      relayPort = 587;
      rootAlias = my_email;
      sslCert = "/var/lib/acme/arrakis.bitgnome.net/fullchain.pem";
      sslKey = "/var/lib/acme/arrakis.bitgnome.net/key.pem";
    };

    printing.enable = true;

    sabnzbd = {
      enable = true;
      user = "nipsy";
      group = "nipsy";
      configFile = "/home/nipsy/.sabnzbd/sabnzbd.ini";
    };

    samba = {
      enable = true;
      settings = {
        global = {
          "invalid users" = [
            "root"
          ];
          "passwd program" = "/run/wrappers/bin/passwd %u";
          security = "user";
          "smb1 unix extensions" = "no";
        };
        homes = {
          browseable = "no";
          "create mask" = "0775";
          "directory mask" = "0775";
          "read only" = "no";
          "valid users" = "%S";
          "wide links" = "yes";
        };
        nipsy-ro = {
          browseable = "no";
          path = "/home/nipsy";
          "read only" = "yes";
          "valid users" = "nipsy";
          "wide links" = "yes";
        };
      };
    };

    smartd = let my_email_addr = "nipsy@bitgnome.net"; in {
      enable = true;
      devices = [
        {
          device = "/dev/disk/by-id/nvme-WD_BLACK_SN850X_4000GB_23162P800005";
          options = "-a -o on -S on -m ${my_email_addr}";
        }
        {
          device = "/dev/disk/by-id/nvme-WD_BLACK_SN850X_4000GB_23162P800014";
          options = "-a -o on -S on -m ${my_email_addr}";
        }
        {
          device = "/dev/disk/by-id/ata-WDC_WD80EFAX-68KNBN0_VAHUEZNL";
          options = "-a -o on -S on -s (S/../.././02|L/../../5/03) -m ${my_email_addr}";
        }
        {
          device = "/dev/disk/by-id/ata-WDC_WD80EFAX-68KNBN0_VAHUUSXL";
          options = "-a -o on -S on -s (S/../.././02|L/../../5/03) -m ${my_email_addr}";
        }
        {
          device = "/dev/disk/by-id/ata-WDC_WD80EFAX-68KNBN0_VAHV0H5L";
          options = "-a -o on -S on -s (S/../.././02|L/../../5/03) -m ${my_email_addr}";
        }
        {
          device = "/dev/disk/by-id/ata-WDC_WD80EFAX-68KNBN0_VAHUK5EL";
          options = "-a -o on -S on -s (S/../.././02|L/../../5/03) -m ${my_email_addr}";
        }
        {
          device = "/dev/disk/by-id/ata-WDC_WD80EFAX-68KNBN0_VAHV5JEL";
          options = "-a -o on -S on -s (S/../.././02|L/../../5/03) -m ${my_email_addr}";
        }
        {
          device = "/dev/disk/by-id/ata-WDC_WD80EFAX-68KNBN0_VAHUZ42L";
          options = "-a -o on -S on -s (S/../.././02|L/../../5/03) -m ${my_email_addr}";
        }
        {
          device = "/dev/disk/by-id/ata-WDC_WD80EFAX-68KNBN0_VAHV3BSL";
          options = "-a -o on -S on -s (S/../.././02|L/../../5/03) -m ${my_email_addr}";
        }
        {
          device = "/dev/disk/by-id/ata-WDC_WD80EFAX-68KNBN0_VAHV338L";
          options = "-a -o on -S on -s (S/../.././02|L/../../5/03) -m ${my_email_addr}";
        }
      ];
    };

  };

  #systemd.services.nginx.serviceConfig.ProtectHome = lib.mkForce false;

}