{ withSystem, self, inputs, lib, ... }:
let
  username = "john";
  hostname = "soteria";
in
{
  flake.nixosConfigurations."${hostname}" = inputs.nixpkgs.lib.nixosSystem {
    modules = with inputs.self.modules; [
      nixos.lxc
      nixos."${username}"
      nixos.mysops
      nixos.step-ssh-host
      nixos.login-text
      nixos.docker
      nixos.mtls
      nixos.janus-ca
      nixos.forgejo
      # nixos.restic-server
      # nixos.restic-envoy
      ({ config, pkgs, ... }: {
        networking.hostName = hostname;
        time.timeZone = "America/Chicago";

        # Removes password for sudo
        security.sudo-rs.extraRules = lib.mkAfter [
          {
            users = [ username ];
            commands = [
              {
                command = "ALL";
                options = [ "NOPASSWD" ];
              }
            ];
          }
        ];

        users.users."${username}".extraGroups = [ "mtls" ];
        mtls = {
          enable = true;
          certDir = config.janus-ca.certDir;
          subject = hostname;
          san = [
            "${hostname}.john-stream.com"
            # "192.168.1.142"
            "forgejo.john-stream.com"
            "192.168.1.244"
          ];
          lifetime = "12h";
          renew.onCalendar = "*:3/15";
          renew.reloadUnits = [ "forgejo.service" "restic-rest-server.service" ];
          certReaders = [ config.services.forgejo.user "restic" ];
        };
        forgejo = {
          enable = true;
          root_url = "https://forgejo.john-stream.com";
          https = true;
          port = 443;
        };

        networking.firewall.allowedTCPPorts = [ 8000 ];
        services.restic.server = {
          enable = true;
          privateRepos = true;
          listenAddress = "0.0.0.0:8000";
          extraFlags = [
            "--no-auth"
            "--tls"
            "--tls-cert=${config.mtls.certFile}"
            "--tls-key=${config.mtls.keyFile}"
          ];
        };

        loginText.extraServiceStatus = {
          Docker = "docker";
          "mTLS Renewal" = "mtls-renew.timer";
          Forgejo = "forgejo.service";
          "Forgejo Backup" = "forgejo-dump.timer";
          "Restic REST Server" = "restic-rest-server.service";
        };

        step-ssh-host.hostname = hostname;

        # This provides the secrets at install time
        sops.defaultSopsFile = ./secrets.yaml;

        programs.zsh.enable = true;

        home-manager.users."${username}".imports = [ inputs.self.modules.homeManager.soteria ];

        environment.systemPackages = [
          inputs.self.packages.${pkgs.stdenv.hostPlatform.system}.my-neovim
          inputs.self.packages.${pkgs.stdenv.hostPlatform.system}.jsl-zsh
        ];
      })
    ];
  };

  flake.modules.homeManager.soteria = { config, pkgs, lib, ... }: {
    imports = [
      inputs.self.modules.homeManager.rebuild
      inputs.self.modules.homeManager.mysops
      ({ config, pkgs, lib, ... }: {
        homeManagerFlakeDir = "${config.xdg.configHome}/home-manager";
        docker.enable = true;

        # This will provide the edit-secrets script targeting this file
        mysops.hostSecretFile = "${config.homeManagerFlakeDir}/modules/hosts/soteria/secrets.yaml";
      })
    ];
  };

  flake.homeConfigurations.soteria = withSystem "x86_64-linux" (ctx@{ config, inputs', ...}:
    inputs.home-manager.lib.homeManagerConfiguration {
      pkgs = inputs'.nixpkgs.legacyPackages;
      modules = [
        inputs.self.modules.homeManager."${username}"
        inputs.self.modules.homeManager.soteria
      ];
  });
}