nixos-config/hosts/media-server/configuration.nix

{ config, lib, nix-config, inputs, pkgs, ... }:

{
  imports = with nix-config.nixosModules; [
      ./hardware-configuration.nix
      sops-config
      filesystems
    ];

  nixpkgs = {
    config = {
      allowUnfree = true;
    };

    overlays = builtins.attrValues nix-config.overlays ++ [
      inputs.nh.overlays.default
    ];
  };

  nix = {
    settings = {
      experimental-features = [
        "nix-command"
        "flakes"
      ];
      substituters = [
        "https://nix-community.cachix.org"
        "https://cache.garnix.io"
      ];
      trusted-public-keys = [
        "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
        "cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g="
      ];
    };

    registry = {
      emenel-templates.flake = inputs.emenel-templates;
    };

    channel.enable = false; # remove nix-channel related tools & configs, we use flakes instead.
  };

  # Use the systemd-boot EFI boot loader.
  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;
  boot.supportedFilesystems = [ "nfs" ];

  networking.hostName = "media-server"; # Define your hostname.
  # Pick only one of the below networking options.
  # networking.wireless.enable = true;  # Enables wireless support via wpa_supplicant.
  networking.networkmanager.enable = true;  # Easiest to use and most distros use this by default.

  # Set your time zone.
  time.timeZone = "America/Toronto";

  sops-config = {
    key-file = "/home/media/.config/sops/age/keys.txt";
  };

  # Define a user account. Don't forget to set a password with ‘passwd’.
  users.users.media = {
    isNormalUser = true;
    extraGroups = [ "wheel" "input" "audio" "video" "network" "networkmanager" ]; # Enable ‘sudo’ for the user.
  };

  environment.systemPackages = with pkgs; [
    wget
    curl
    cifs-utils
  ];

  fonts = {
    enableDefaultPackages = true;
    fontDir.enable = true;
    fontconfig = {
      enable = true;
      useEmbeddedBitmaps = true;
    };
  };


  hardware = {
    amdgpu.initrd.enable = true;
    enableAllFirmware = true;
    uinput.enable = true;
  };

  services.power-profiles-daemon = {
    enable = true;
    package = pkgs.power-profiles-daemon;
  };

  services.getty.autologinUser = "media";

  # enable the OpenSSH daemon.
  services.openssh.enable = true;
  programs.ssh.startAgent = true;

  services.resolved = {
    enable = true;
    extraConfig = ''
      LLMNR=no
      ReadEtcHosts=no
      DNSSEC=no
    '';
  };
  services.avahi = {
    enable = true;
    publish.enable = true;
    publish.userServices = true;
    openFirewall = true;
    nssmdns4 = true;
  };
  services.samba = {
    enable = true;
    package = pkgs.sambaFull;
    openFirewall = true;
    settings = {
      global = {
        "workgroup" = "WORKGROUP";
        "server string" = "media-server";
        "netbios name" = "media-server";
        "security" = "user";
        # "hosts allow" = "192.168.50. 127.0.0.1 localhost";
        # "hosts deny" = "0.0.0.0/0";
        "guest account" = "nobody";
        "map to guest" = "bad user";
      };
      "import" = {
        "path" = "/mnt/shares/import";
        "browseable" = "yes";
        "read only" = "no";
        "guest ok" = "no";
        "create mask" = "0644";
        "directory mask" = "0755";
        "force user" = "media";
      };
    };
  };
  services.samba-wsdd = {
    enable = true;
    openFirewall = true;
  };

  programs.nh = {
    enable = true;
    clean = {
      enable = true;
      dates = "daily";
      extraArgs = "--keep 4";
    };
    flake = "/home/media-server/nixos-config";
    package = pkgs.nh;
  };

  # enable fish and launch it from bash for interactive shells
  programs.fish.enable = true;
  environment.pathsToLink = [ "/share/fish" ];
  programs.bash = {
    interactiveShellInit = ''
      if [[ $(${pkgs.procps}/bin/ps --no-header --pid=$PPID --format=comm) != "fish" && -z ''${BASH_EXECUTION_STRING} ]]
       then
         shopt -q login_shell && LOGIN_OPTION='--login' || LOGIN_OPTION=""
         exec ${pkgs.fish}/bin/fish $LOGIN_OPTION
       fi
    '';
  };

  programs.git = {
    enable = true;
  };

  services.tailscale.enable = true;
  systemd.services.tailscaled.after = [ "NetworkManager-wait-online.service" ];

  nixarr = {
    enable = true;

    # mediaDir = "/mnt/filez/media";
    stateDir = "/data/media/.state/nixarr";

    mediaUsers = [
      "media"
      "plex"
      "sonarr"
      "radarr"
      "lidarr"
      "bazarr"
      "prowlarr"
    ];

    transmission = {
      enable = true;
    };

    sabnzbd = {
      enable = true;
    };

    bazarr.enable = true;
    lidarr.enable = true;
    prowlarr.enable = true;
    radarr.enable = true;
    readarr.enable = true;
    sonarr.enable = true;
    jellyseerr.enable = true;
  };

  services.plex = {
    enable = true;
    openFirewall = true;
  };

  systemd.targets.sleep.enable = false;
  systemd.targets.suspend.enable = false;
  systemd.targets.hibernate.enable = false;
  systemd.targets.hybrid-sleep.enable = false;

  # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion .
  system.stateVersion = "25.05"; # Did you read the comment?

}