{ config, pkgs, lib, ... }:

{
  imports =
    [
      ../../base.nix
      ../../common/metrics-exporters.nix
      ../../common/auto-upgrade.nix
      ./hardware-configuration.nix

      ./services/nginx.nix
      ./services/mysql.nix

      ./services/www-feal-no
      ./services/www-kinealbrigtsen-no.nix
  ];

  boot.loader.systemd-boot.enable = lib.mkForce false;
  boot.loader.grub.enable = true;
  boot.loader.grub.device = "/dev/sda";


  networking = {
    hostName = "leonard";
    defaultGateway = "192.168.10.1";
    interfaces.ens18.ipv4 = {
      addresses = [
        { address = "192.168.10.207"; prefixLength = 24; }
      ];
    };
    hostId = "b99c12d1";

    # Prepend the following output rules to disallow talking to other devices on LAN
    firewall.extraCommands = lib.strings.concatLines ([
      "iptables -F OUTPUT"
    ] ++ (map (addr: "iptables -A OUTPUT -p udp --dport 53 -d ${addr} -j nixos-fw-accept") config.networking.nameservers) ++ [ # Exception for DNS
      "iptables -A OUTPUT -p tcp --dport 3100 -d 192.168.10.175 -j nixos-fw-accept" # Exception for loki logging
      "iptables -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT"
      "iptables -A OUTPUT -d 192.168.10.0/24 -j nixos-fw-refuse"
      "iptables -A OUTPUT -d 192.168.11.0/24 -j nixos-fw-refuse"
    ]);
  };

  sops.defaultSopsFile = ../../secrets/leonard/leonard.yaml;

  environment.variables = { EDITOR = "vim"; };

  system.stateVersion = "25.05";
}