# SPDX-FileCopyrightText: 2020 Luke Granger-Brown <depot@lukegb.com>
#
# SPDX-License-Identifier: Apache-2.0

{ config, depot, lib, pkgs, ... }:
let
  inherit (depot.ops) secrets;
in {
  imports = [
    ../lib/bvm.nix
  ];

  # Networking!
  networking = {
    hostName = "bvm-heptapod";
    hostId = "c30784de";
    tempAddresses = "disabled";

    interfaces.enp1s0 = {
      ipv4.addresses = [{ address = "10.100.0.208"; prefixLength = 23; }];
    };
    interfaces.enp2s0 = {
      ipv4.addresses = [{ address = "92.118.28.10"; prefixLength = 24; }];
      ipv6.addresses = [{ address = "2a09:a441::10"; prefixLength = 32; }];
    };
    interfaces.lo = {
      ipv4.addresses = [
        { address = "127.0.0.1"; prefixLength = 8; }
        { address = "92.118.28.11"; prefixLength = 32; }
      ];
      ipv6.addresses = [
        { address = "::1"; prefixLength = 128; }
        { address = "2a09:a441::11"; prefixLength = 128; }
      ];
    };
    defaultGateway = { address = "92.118.28.1"; interface = "enp2s0"; };
    defaultGateway6 = { address = "2a09:a441::1"; interface = "enp2s0"; };

    firewall = {
      interfaces.docker0.allowedTCPPorts = [ 25 ];
      allowedTCPPorts = [ 22 80 443 20022 ];
      allowedUDPPorts = [ 443 ];
    };
  };
  my.ip.tailscale = "100.94.23.105";

  services.openssh.ports = [ 20022 ];
  my.deploy.args = "-p 20022";
  my.rundeck.hostname = "${config.networking.fqdn}:20022";

  users.users.postfix.extraGroups = [ "opendkim" ];

  services.postfix = {
    enable = true;
    domain = "hg.lukegb.com";
    hostname = "hg.lukegb.com";
    extraConfig = ''
      milter_protocol = 2
      milter_default_action = accept
      smtpd_milters = ${config.services.opendkim.socket}
      non_smtpd_milters = ${config.services.opendkim.socket}
    '';
    networks = [ "172.17.0.0/16" ];
  };
  services.opendkim = {
    enable = true;
    domains = "csl:hg.lukegb.com";
    selector = "marukuru";
  };

  virtualisation.docker.extraOptions = "--experimental --ipv6 --ip6tables --fixed-cidr-v6 2a09:a441:10::/64";
  virtualisation.oci-containers.containers = {
    heptapod-runner = {
      image = "octobus/heptapod-runner:0.2.0";
      volumes = [
        "/srv/gitlab-runner/config:/etc/gitlab-runner"
        "/var/run/docker.sock:/var/run/docker.sock"
      ];
    };
    heptapod = let img = depot.nix.docker.heptapod; in {
      image = "${img.meta.name}:${img.meta.tag}";
      imageFile = img;
      ports = [
        # host:container
        "22:22"
        "80:80"
        "443:443"
      ];
      volumes = [
        "/srv/gitlab/config:/etc/gitlab"
        "/srv/gitlab/logs:/var/log/gitlab"
        "/srv/gitlab/data:/var/opt/gitlab"
      ];
      environment = {
        GITLAB_OMNIBUS_CONFIG = builtins.replaceStrings ["\n"] [";"] ''
          external_url "https://hg.lukegb.com"
          letsencrypt['enable'] = true
          letsencrypt['contact_emails'] = ['letsencrypt@lukegb.com']
          nginx['redirect_http_to_https'] = true
          nginx['listen_addresses'] = ["0.0.0.0", "[::]"]

          gitlab_rails['smtp_enable'] = true
          gitlab_rails['smtp_address'] = '92.118.28.10'
          gitlab_rails['smtp_port'] = 25
          gitlab_rails['gitlab_email_from'] = 'heptapod@hg.lukegb.com'
          gitlab_rails['gitlab_email_reply_to'] = 'noreply@hg.lukegb.com'

          prometheus['enable'] = false
        '';
      };
    };
  };

  system.stateVersion = "21.11";
}