{ config, lib, pkgs, ... }:

# airgapped machine, for setting up keys

# github.com/dhess/nixos-yubikey
# github.com/Mic92/dotfiles/blob/master/nixos/images/yubikey-image.nix

let
  nixpkgs = builtins.fetchTarball (import ../nixpkgs.nix);
  guide = pkgs.stdenv.mkDerivation {
    name = "yubikey-guide.2021.1.31.html";
    src = pkgs.fetchFromGitHub {
      owner = "drduh";
      repo = "YubiKey-Guide";
      rev = "fe6434577bce964aefd33d5e085d6ac0008e17ce";
      sha256 = "1f4sqj2nspv6939p3gj2ma4fnbz12l95kcr3bjzphjdgxkdx42hx";
    };
    buildInputs = [ pkgs.pandoc ];
    installPhase = "pandoc --highlight-style pygments -s --toc README.md -o $out";
  };
  gpg-conf = pkgs.fetchurl {
      url = "https://raw.githubusercontent.com/drduh/config/75ec3f35c6977722d4dba17732d526f704f256ff/gpg.conf";
      sha256 = "sha256-LK29P4+ZAvy9ObNGDNBGP/8+MIUY3/Uo4eJtXhwMoE0=";
  };
  gpg-agent-conf = pkgs.writeText "gpg-agent.conf" ''
    pinentry-program ${pkgs.pinentry-curses}/bin/pinentry-curses
  '';
in {
  isoImage.isoBaseName = "oxygen";
  isoImage.edition = "o2";
  isoImage.makeEfiBootable = true;
  isoImage.makeUsbBootable = true;

  users.users.root.initialHashedPassword = "";
  documentation.enable = true;
  documentation.nixos.enable = true;

  # prevent accidentally writing to persistent storage
  boot.kernelParams = [ "copytoram" ];
  boot.cleanTmpDir = true;
  boot.kernel.sysctl = { "kernel.unprivileged_bpf_disabled" = 1; };

  boot.plymouth.enable = true;
  boot.plymouth.logo = pkgs.fetchurl {
    url = "https://www.themoviethemesong.com/wp-content/uploads/2014/04/The-Matrix-Theme-Song-5.jpg";
    sha256 = "0smb717ji82pqqzn6rjg10mz4kjr2nfylm60a9q9divj918l2gqf";
  };
  boot.plymouth.theme = "breeze";

  # disable networking
  networking.hostName = "oxygen"; # but we still need a hostname
  boot.initrd.network.enable = false;
  networking.dhcpcd.enable = false;
  networking.dhcpcd.allowInterfaces = [];
  networking.firewall.enable = true;
  networking.useDHCP = false;
  networking.useNetworkd = false;
  networking.wireless.enable = false;
  systemd.network.enable = false;

  time.timeZone = "America/New_York";

  # ref: https://rzetterberg.github.io/yubikey-gpg-nixos.html
  environment.systemPackages = with pkgs; [
    bitcoin
    ccrypt
    cryptsetup
    diceware # generate passphrases
    ent # entropy
    gnupg
    (haskell.lib.justStaticExecutables haskellPackages.hopenpgp-tools)
    midori
    mkpasswd
    paperkey # store pgp keys on paper
    parted
    pcsclite # smartcard middleware
    pcsctools
    pgpdump
    pinentry-curses
    pwgen
    qrencode
    w3m-nographics # for documentation/manual
    yubikey-manager
    yubikey-personalization
  ];
  services.udev.packages = [ pkgs.yubikey-personalization ];

  environment.shellInit = ''
    export GPG_TTY="$(tty)"
    gpg-connect-agent /bye
  '';

  environment.interactiveShellInit = ''
    export GNUPGHOME=/run/user/$(id -u)/gnupghome
    [ -d $GNUPGHOME ] || install -m 0700 -d $GNUPGHOME
    cp ${gpg-conf} "$GNUPGHOME/gpg.conf"
    cp ${gpg-agent-conf} "$GNUPGHOME/gpg-agent.conf"
    echo "\$GNUPGHOME has been setup for you. Generated keys will be in $GNUPGHOME"
  '';

  nixpkgs.config.allowUnfree = false;
  nixpkgs.config.allowBroken = false;

  programs.bash.enableCompletion = true;
  programs.command-not-found.enable = true;
  programs.light.enable = true;
  programs.gnupg.agent.enable = true;
  programs.gnupg.agent.enableSSHSupport = true;

  services.pcscd.enable = true;
  services.printing.enable = true;

  services.xserver.enable = true;
  services.xserver.autorun = true;
  services.xserver.layout = "us";
  services.xserver.libinput.enable = true;
  services.xserver.xkbOptions = "caps:ctrl_modifier";

  services.xserver.displayManager.sddm.enable = true;
  services.xserver.displayManager.autoLogin.enable = true;
  services.xserver.displayManager.autoLogin.user = "root";
  services.xserver.displayManager.defaultSession = "xfce";
  services.xserver.displayManager.sessionCommands = ''
    ${pkgs.midori}/bin/midori ${guide} &
    ${pkgs.xfce.terminal}/bin/xfce4-terminal &
  '';

  services.xserver.desktopManager.xterm.enable = false;
  services.xserver.desktopManager.xfce.enable = true;

  # Use the systemd-boot EFI boot loader.
  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;

  powerManagement.enable = false;

  nix.nixPath = [
    "nixpkgs=${nixpkgs}"
    "nixos-config=/etc/nixos/configuration.nix"
    "/nix/var/nix/profiles/per-user/root/channels"
  ];
  nix.useSandbox = true;
  nix.buildMachines =  [ ];

  system.extraSystemBuilderCmds = "ln -sv ${pkgs.path} $out/nixpkgs";
  environment.etc.host-nix-channel.source = pkgs.path;

  # This value determines the NixOS release with which your system is to be
  # compatible, in order to avoid breaking some software such as database
  # servers. You should change this only after NixOS release notes say you
  # should.
  system.stateVersion = "19.03"; # Did you read the comment?
  system.autoUpgrade.enable = false;
}