{ modulesPath, tree, config, pkgs, lib, ... }:
let secrets-db = (import ./secrets-db.nix { });
in {
  imports = with tree; [
    users.root

    profiles.base
    profiles.sshd
    profiles.nix-gc
    profiles.nginx

    ./profiles/wireguard.nix

    ./hardware.nix
    ./networking.nix
    ./secrets.nix
  ];

  services.vault = {
    enable = true;
    package = pkgs.vault-bin;
    address = "127.0.0.1:8200";
    storageBackend = "file";
    extraConfig = ''
      ui = true
    '';
  };

  networking.firewall.allowedTCPPorts = [ 80 443 ];

  services.nginx.virtualHosts."vault.owo.monster" = {
    forceSSL = true;
    enableACME = true;
    locations = { "/" = { proxyPass = "http://127.0.0.1:8200"; }; };
  };

  services.restic.backups.vault = {
    user = "root";
    paths = [ "/var/lib/vault" "/var/lib/acme" ];
    timerConfig = {
      OnBootSec = "1m";
      OnCalendar = "daily";
    };
    # env contains fixed repository with auth
    repository = "rest:https://storage-restic.owo.monster/HetznerVM";
    passwordFile = "${secrets-db.restic_password.path}";
    environmentFile = "${secrets-db.restic_env.path}";
  };

  environment.systemPackages = [
    (pkgs.writeShellScriptBin "restic-vault" ''
      env \
        RESTIC_PASSWORD_FILE=${secrets-db.restic_password.path} \
        $(cat ${secrets-db.restic_env.path}) \
      ${pkgs.restic}/bin/restic $@
    '')
  ];

  home-manager.users.root = {
    imports = with tree; [ home.base home.dev.small ];
    home.stateVersion = "22.05";
  };

  networking.hostName = "vault";
  time.timeZone = "Europe/London";

  system.stateVersion = "21.11";
}