(define-module (tw system)
  #:use-module (ice-9 string-fun)
  #:use-module (gnu)
  #:use-module (gnu services)
  #:use-module (gnu system)
  #:use-module (gnu system keyboard)
  #:use-module (guix gexp)
  #:use-module (tw channels)
  #:use-module (tw services wireguard))

(use-package-modules admin avahi certs curl disk file-systems linux lsof man
                     moreutils python rsync search shells version-control vpn)
(use-service-modules mcron monitoring networking ssh vpn)

(define-public %base-system-packages
  (cons* acpi btrfs-progs cpupower curl efibootmgr exfat-utils git glibc-locales
         hddtemp htop lshw lsof man-db man-pages man-pages-posix mlocate
         moreutils nss-certs nss-mdns python rsync strace wireguard-tools
         %base-packages))

(define-public %british-keyboard
  (keyboard-layout
   "gb" #:options '("caps:swapescape"
                    "parens:swap_brackets"
                    "terminate:ctrl_alt_bksp"
                    "compose:rctrl"
                    "keypad:oss"
                    "kpdl:kposs")))

(define-public %server-base-user-accounts
  (cons* (user-account
          (name "timo")
          (comment "Timo Wilken")
          (group "users")
          (home-directory "/home/timo")
          (supplementary-groups '("wheel" "netdev" "audio" "video"))
          (shell (file-append zsh "/bin/zsh")))
         %base-user-accounts))

;; This is used for the servers, and also by (tw home) to generate the
;; appropriate ~/.ssh/config.
(define-public %ssh-ports
  '(("lud.twilken.net" . 22022)
    ("vin.twilken.net" . 22022)
    ("pi3.twilken.net" . 51022)))

(export server-wireguard-address)
(define* (server-wireguard-address host-name #:optional port #:key (ipv6? #f))
  (let ((ip (string-replace-substring
             ((if ipv6? cadr car)
              (wireguard-peer-allowed-ips
               (assoc-ref %wireguard-peers host-name)))
             (if ipv6? "/128" "/32") "")))
    (cond
     ((and port ipv6?) (format #f "[~a]:~a" ip port))
     (port (format #f "~a:~a" ip port))
     (else ip))))

(define-public (server-base-services host-name)
  (cons*
   ;; SSH login, allowing access only for me.  To give more public keys
   ;; access, extend `openssh-service-type'.
   (service openssh-service-type
     (openssh-configuration
      (port-number (assoc-ref %ssh-ports host-name))
      (password-authentication? #f)
      (accepted-environment '("LANG" "LC_*"))
      (authorized-keys
       `(("timo"
          ,(local-file "system/files/timo.pub")
          ,(local-file "system/files/timo-phone-gpg.pub"))))))

   ;; Prometheus node exporter
   (service prometheus-node-exporter-service-type
     (prometheus-node-exporter-configuration
      (web-listen-address
       (server-wireguard-address host-name 9100))))

   (simple-service 'guix-gc mcron-service-type
     (list #~(job "0 2 * * *" "guix gc -d 2w")))

   ;; Network setup
   (service dhcp-client-service-type)
   (service ntp-service-type)
   (service tw-wireguard-service-type
     (tw-wireguard-configuration
      (this-host host-name)))

   (modify-services (append %system-channel-services %base-services)
     ;; Delete the annoying message on SSH login.  Beware when setting up a new
     ;; host, as `allow-empty-passwords' will block login and sudo execution for
     ;; all Guix-declared users (as these have no initial password).
     (login-service-type
      config =>
      (login-configuration
       (inherit config)
       (motd (plain-file "no-motd" ""))
       (allow-empty-passwords? #f))))))