{ self, inputs, lib, ... }:
let
  username = "john";
  hostname = "soteria";
in
{
  flake.nixosConfigurations."${hostname}" = inputs.nixpkgs.lib.nixosSystem {
    modules = with inputs.self.modules; [
      nixos.lxc
      nixos."${username}"
      nixos.mysops
      nixos.step-ssh-host
      nixos.login-text
      nixos.docker
      nixos.mtls
      nixos.janus-ca
      nixos.forgejo
      # nixos.restic-server
      # nixos.restic-envoy
      ({ config, pkgs, ... }: {
        networking.hostName = hostname;

        # Removes password for sudo
        security.sudo-rs.extraRules = lib.mkAfter [
          {
            users = [ username ];
            commands = [
              {
                command = "ALL";
                options = [ "NOPASSWD" ];
              }
            ];
          }
        ];

        users.users."${username}".extraGroups = [ "mtls" ];
        mtls = {
          enable = true;
          certDir = config.janus-ca.certDir;
          subject = hostname;
          san = [
            "${hostname}.john-stream.com"
            # "192.168.1.142"
            "forgejo.john-stream.com"
            "192.168.1.244"
          ];
          lifetime = "12h";
          renew.onCalendar = "*:3/15";
          renew.reloadUnits = [ "forgejo.service" ];
          certReaders = [ config.services.forgejo.user "postgres" ];
        };
        forgejo = {
          enable = true;
          https = true;
          port = 443;
        };

        step-ssh-host.hostname = hostname;

        # This provides the secrets at install time
        sops.defaultSopsFile = ./secrets.yaml;

        programs.zsh.enable = true;
        home-manager.users."${username}" = {
          imports = with inputs.self.modules; [
            homeManager."${hostname}"
          ];
        };

        environment.systemPackages = [
          inputs.self.packages.${pkgs.stdenv.hostPlatform.system}.janus-ca
          inputs.self.packages.${pkgs.stdenv.hostPlatform.system}.my-neovim
        ];
      })
    ];
  };

  flake.modules.homeManager."${hostname}" = { config, pkgs, lib, ... }: {
    imports = with inputs.self.modules; [
      homeManager.rebuild
      homeManager.mysops
    ];

    homeManagerFlakeDir = "${config.xdg.configHome}/home-manager";
    shell.program = "zsh";
    docker.enable = true;

    # This will provide the edit-secrets script targeting this file
    mysops.hostSecretFile = "${config.homeManagerFlakeDir}/modules/hosts/soteria/secrets.yaml";
  };

  flake.homeConfigurations."${hostname}" = inputs.home-manager.lib.homeManagerConfiguration {
    pkgs = import inputs.nixpkgs { system = "x86_64-linux"; };
    modules = with inputs.self.modules; [
      homeManager."${username}"
      homeManager."${hostname}"
    ];
  };
}