{ lib, ... }:

let
  inherit (lib) mkDefault mkMerge;

in
{
  _class = "nixos";

  config = {
    services.openssh = {
      enable = true;
      settings = {
        PermitRootLogin = "yes";
        PasswordAuthentication = false;
      };
    };

    networking = mkMerge [
      {
        domain = lib.mkDefault "abundos.eu";

        ## REVIEW: Do we actually need that, considering that we have static IPs?
        useDHCP = mkDefault true;

        ## Disable the default firewall and use nftables instead, with a custom
        ## Procolix-made ruleset.
        firewall.enable = false;
        nftables = {
          enable = true;
          rulesetFile = ./nftables-ruleset.nft;
        };
      }

      {
        defaultGateway = {
          interface = lib.mkDefault "eth0";
        };
        nameservers = [
          "95.215.185.6"
          "95.215.185.7"
        ];
      }

      {
        defaultGateway6 = {
          interface = lib.mkDefault "eth0";
        };
        nameservers = [
          "2a00:51c0::5fd7:b906"
          "2a00:51c0::5fd7:b907"
        ];
      }
    ];

    ## FIXME distinguish `staging` vs. `production`
    security.acme = {
      acceptTerms = true;
      # TODO: configure a mailserver so we can set up acme
      # use a priority more urgent than mkDefault for panel deployment to work,
      # yet looser than default so this will not clash with the setting in tests.
      defaults.email = lib.modules.mkOverride 200 "systeemmail@procolix.com";
      # defaults.server = "https://acme-staging-v02.api.letsencrypt.org/directory";
    };
  };
}