{ pkgs, lib, userSettings, ... }:
let
  stateVersion = "24.05";
  unstable = import <nixos-unstable> {};
  adHome = "/srv/appdaemon";
  adNixPath = "${adHome}/ad-nix";
  adPath = "/usr/src/app";
  adRepo = "https://github.com/jsl12/appdaemon";
  adBranch = "hass";
in
{
  imports = [
    ./telegraf.nix
    ./promtail.nix
    ./portainer.nix
    ./watchtower.nix
  ];
  nix.settings.trusted-users = [ "root" "@wheel" ];
  nix.settings.experimental-features = [ "nix-command" "flakes" ];

  sops.defaultSopsFile = ./secrets/secrets.yaml;
  sops.defaultSopsFormat = "yaml";
  sops.age.keyFile = "${adHome}/.config/sops/age/keys.txt";

  environment.systemPackages = with pkgs; [
    (pkgs.writeShellScriptBin "nrbs" "sudo nixos-rebuild switch")
    (pkgs.writeShellScriptBin "nrbsu" "sudo nix-channel --update && sudo nixos-rebuild switch")
    (pkgs.writeShellScriptBin "nfs" "sudo nixos-rebuild switch --flake ${adNixPath} --impure")
    (pkgs.writeShellScriptBin "ads" ''
      cd ${adPath}
      nix develop --no-pure-eval ${adNixPath}/appdaemon
    '')
    (pkgs.writeShellScriptBin "ad-clone" ''
      if [ ! -d ${adPath} ]; then
        sudo git clone -b ${adBranch} ${adRepo} ${adPath}
        sudo chown -R appdaemon:users $(dirname ${adPath})
      else
        echo "${adPath} already exists"
      fi
    '')
    # unstable.uv
    bash
    git
    eza
    gh
    sops
    # appdaemon
  ];

  time.timeZone = "America/Chicago";

  virtualisation.docker.enable = true;
  virtualisation.oci-containers.backend = "docker";

  services.vscode-server.enable = true;
  services.openssh.enable = true;
  services.tailscale.enable = true;

  system.activationScripts.ensureDirectory = ''
    if [ ! -d /conf ]; then
      mkdir /conf
      chmod 0755 /conf
      chown 1000:100 /conf
    fi
  '';

  security.sudo-rs = {
    enable = true;
    execWheelOnly = false;
    wheelNeedsPassword = false;
  };

  users.users.appdaemon = {
    isNormalUser = true;
    home = "${adHome}";
    extraGroups = [ "wheel" "docker" ];
    openssh.authorizedKeys.keyFiles = [ "/root/.ssh/authorized_keys" ];
  };
  
  home-manager = {
    useGlobalPkgs = true;
    users.appdaemon = { pkgs, ... }: {
      home.stateVersion = stateVersion;
      systemd.user.startServices = "sd-switch";
      imports = [ (import ./git.nix {inherit userSettings;}) ];
      programs = { 
        ssh.enable = true;
        git.extraConfig.safe.directory = "${adNixPath}";
        bash = {
          enable = true;
          profileExtra = "cd ${adNixPath}";
        };
      };
    };
  };
  system.stateVersion = stateVersion;
}