{ config, lib, pkgs, homeyConfig, ... }:

# Pi-main host configuration.
# This file declares which services run on this machine and any
# host-specific overrides.  Hardware config lives in hardware.nix.

{
  imports = [
    ./hardware.nix
  ];

  # -------------------------------------------------------------------------
  # Identity
  # -------------------------------------------------------------------------
  networking.hostName = "pi-main";

  # -------------------------------------------------------------------------
  # Admin user
  # -------------------------------------------------------------------------
  users.users.admin = {
    isNormalUser    = true;
    extraGroups     = [ "wheel" "podman" ];
    # Paste your SSH public key here
    openssh.authorizedKeys.keys = [
      "ssh-ed25519 AAAA... your-key-here"
    ];
  };

  security.sudo.wheelNeedsPassword = false;  # convenience on a home server

  # -------------------------------------------------------------------------
  # External HD
  # -------------------------------------------------------------------------
  homey.storage = {
    # Replace with the actual by-id path of your USB drive.
    # Find it: ls -la /dev/disk/by-id/ | grep -v part
    device     = "/dev/disk/by-id/REPLACE-WITH-YOUR-DRIVE-ID";
    mountPoint = "/mnt/data";
    fsType     = "ext4";
  };

  # -------------------------------------------------------------------------
  # Services enabled on this host
  # -------------------------------------------------------------------------

  # Auth stack (run these together — authelia depends on openldap)
  homey.openldap.enable    = true;
  homey.authelia.enable    = true;

  # Productivity
  homey.gitea.enable       = true;
  homey.nextcloud.enable   = true;
  homey.phpldapadmin.enable = true;

  # Media (enable when ready)
  homey.jellyfin.enable    = false;
  homey.transmission.enable = false;

  # Reverse proxy + Cloudflare
  homey.caddy.enable      = true;
  homey.cloudflared.enable = true;

  # Backups
  homey.backup.enable     = true;
  # Where to send restic backups — set to your backup destination:
  #   "sftp:user@nas.local:/backups/homey"
  #   "b2:your-bucket-name:homey"
  #   "rclone:remote:homey"
  homey.backup.repository = "sftp:REPLACE-WITH-BACKUP-DESTINATION";

  # -------------------------------------------------------------------------
  # Local DNS overrides (optional — makes LAN clients hit the Pi directly
  # instead of going through Cloudflare for *.home.zakobar.com)
  # -------------------------------------------------------------------------
  # If you run Pi-hole or Adguard, add these records there instead.
  # networking.extraHosts = ''
  #   192.168.1.100 home.zakobar.com
  #   192.168.1.100 auth.home.zakobar.com
  #   192.168.1.100 git.home.zakobar.com
  #   192.168.1.100 nextcloud.home.zakobar.com
  #   192.168.1.100 ldapadmin.home.zakobar.com
  # '';
}