{ pkgs, ...}:
let
  nodes = import ./nixops/ekman/nodes.nix;
in
{
    # deployment.tags = [ "frontend" ];
    node.myvnc = true;

    systemd.targets = {
      sleep.enable = false;
      suspend.enable = false;
      hibernate.enable = false;
      hybrid-sleep.enable = false;
    };

    features = {
      host = {
        address = "10.255.241.100";
        name = "ekman";
      };

      os = {
        externalInterface = "enp33s0f0np0";
        nfs.enable = true;
        nfs.exports = ''
          /exports 10.255.241.0/24(insecure,rw,sync,no_subtree_check,crossmnt,fsid=0,no_root_squash)
          /exports 10.255.243.0/24(insecure,rw,sync,no_subtree_check,crossmnt,fsid=0,no_root_squash)
        '';
      };

      hpc = {
        slurm.server = true;
        frontend = true;
      };

      k8s = {
        master.enable = true;
        node.enable = true;
        inherit nodes;
      };

      monitoring = {
        server = {
          enable = false;
          scrapeHosts = [ "frontend" "mds1-0" ] ++ (builtins.map (x: x.name) nodes);
          defaultAlertReceiver = {
            email_configs = [
              { to = "jonas.juselius@oceanbox.io"; }
            ];
          };
          pageAlertReceiver = {
            webhook_configs = [
              {
                url = "https://prometheus-msteams.k2.itpartner.no/ekman";
                http_config = {
                  tls_config = { insecure_skip_verify = true; };
                };
              }
            ];
          };
        };
        webUI.enable = false;
        webUI.acmeEmail = "innovasjon@itpartner.no";
        webUI.allow = [
            "10.1.2.0/24"
            "172.19.254.0/24"
            "172.19.255.0/24"
        ];
        infiniband-exporter = {
          enable = true;
          nameMap = ''
            0x0c42a10300dbe7f4 "c0-1"
            0x0c42a10300ddc4bc "c0-2"
          '';
        };
        slurm-exporter = {
          enable = true;
          port = 6080;
        };
      };
    };

    networking = {
      useDHCP = false;
      hostName = "ekman";
      interfaces.enp33s0f0np0 = {
        useDHCP = false;
        ipv4.addresses = [ {
          address = "10.255.242.2";
          prefixLength = 24;
        } ];
      };
      interfaces.enp33s0f3np3 = {
        useDHCP = false;
        ipv4.addresses = [ {
          address = "10.255.241.100";
          prefixLength = 24;
        } ];
      };
      interfaces.ibp65s0 = {
        useDHCP = false;
        ipv4.addresses = [ {
          address = "10.255.243.100";
          prefixLength = 24;
        } ];
      };
      defaultGateway = "10.255.242.1";
      firewall.extraCommands = ''
        iptables -I INPUT -s 10.255.243.0/24 -j ACCEPT
        iptables -t nat -A POSTROUTING -s 10.255.243.0/24 -j MASQUERADE
      '';
    };

    fileSystems = {
      "/exports/home" = {
        device = "/home";
        options = [ "bind" ];
      };
      "/frontend" = {
        device = "/home";
        options = [ "bind" ];
      };
      "/vol/local-storage/vol1" = {
        device = "/vol/vol1";
        options = [ "bind" ];
      };
      "/vol/local-storage/vol2" = {
        device = "/vol/vol2";
        options = [ "bind" ];
      };
    };

    nix.extraOptions = ''
      secret-key-files = /etc/nix/ekman.key
    '';

    services.xserver = {
      enable = true;
      enableCtrlAltBackspace = true;
      layout = "us";
      xkbVariant = "altgr-intl";
      xkbOptions = "eurosign:e";
      displayManager = {
        gdm.enable = true;
        job.logToFile = true;
      };
      desktopManager.xfce.enable = true;
    };

    services.prometheus.alertmanager.configuration.global = {
        smtp_smarthost = "smtpgw.itpartner.no:465";
        smtp_auth_username = "utvikling";
        smtp_auth_password = "S0m3rp0m@de#21!";
        smtp_hello = "ekman.oceanbox.io";
        smtp_from = "noreply@ekman.oceanbox.io";
    };

    # services.nginx = {
    #   virtualHosts = {
    #     "ds.matnoc.regnekraft.io" = {
    #       forceSSL = true;
    #       enableACME = true;
    #       serverAliases = [];
    #       locations."/" = {
    #         proxyPass = "http://localhost:9088";
    #         proxyWebsockets = false;
    #         extraConfig = ''
    #           allow 10.1.2.0/24;
    #           allow 172.19.254.0/24;
    #           allow 172.19.255.0/24;
    #           deny all;
    #         '';
    #       };
    #     };
    #   };
    # };

    # services.gitlab-runner = {
    #   enable = true;
    #   extraPackages = with pkgs; [
    #     singularity
    #   ];
    #   concurrent = 4;
    #   services = {
    #     sif = {
    #       registrationConfigFile = "/var/lib/secrets/gitlab-runner-registration";
    #       executor = "shell";
    #       tagList = [ "ekman" "sif" ];
    #     };
    #   };
    # };

    # security.sudo.extraConfig = ''
    #   gitlab-runner ALL=(ALL) NOPASSWD: /run/current-system/sw/bin/singularity
    # '';

    security.pam = {
      services.sshd.googleAuthenticator.enable = true;
      loginLimits = [
        {
          domain = "@users";
          item = "rss";
          type = "hard";
          value = 16000000;
        }
        {
          domain = "@users";
          item = "cpu";
          type = "hard";
          value = 180;
        }
      ];
    };

    # ssh-rsa is deprecated, but putty/winscp users use it
    # services.openssh.extraConfig = ''
    #   pubkeyacceptedalgorithms ssh-rsa,ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256
    # '';

    imports = [ ./nixops/ekman/cluster.nix ./hardware-configuration.nix ];
  }