{ config, pkgs, ... }:

let
  hdmiHandler = pkgs.writeShellScript "hdmi-display-manager" ''
    #!/usr/bin/env bash
    set -euo pipefail
    PORT=$(ls /sys/class/drm/card*-HDMI-A-*/*status 2>/dev/null | head -n1 || true)
    [[ -z "$PORT" ]] && exit 0
    status=$(cat "$PORT" || echo "disconnected")

    if [[ "$status" == "connected" ]]; then
      systemctl start display-manager.service
    else
      systemctl stop display-manager.service
    fi
    exit 0
  '';
in
{
  imports = [ ./hardware/hardware-configuration.nix ];

  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;
  boot.initrd.kernelModules = [ "overlay" "vmd" ];
  boot.initrd.systemd.tmpfiles.settings."nixdirs" = {
    "/nix".d = { mode = "0755"; type = "d"; user = "root"; group = "root";};
    "/nix/.ro-store".d = { mode = "0755"; type = "d"; user = "root"; group = "root";};
    "/nix/.rw-store".d = { mode = "0755"; type = "d"; user = "root"; group = "root";};
  };
  boot.zfs.extraPools = ["tank"];

  networking.hostName = "nix-nas";
  networking.hostId = "39373132";  # via: head -c4 /etc/machine-id | od -An -tx4

  fileSystems."/" =
    { device = "rpool/root";
      fsType = "zfs";
      neededForBoot = true;
    };

  fileSystems."/nix" =
    { device = "rpool/nix";
      fsType = "zfs";
      neededForBoot = true;
    };

  fileSystems."/home" =
    { device = "tank/home";
      fsType = "zfs";
    };

  fileSystems."/tank" =
    { device = "tank/media";
      fsType = "zfs";
    };

  swapDevices = [ ];

  users.users.nicole = {
    isNormalUser = true;
    hashedPassword = "$6$p73d5mOLoSuJGOol$KRlszaPXZK9/frADlfR3kAr/57DD5f4.CPTGNNX80QWEWFE5y.bM1WiZwmRHiAlrws3q/zCDQ6AqeSyCUX.8U/";
    extraGroups = [ "wheel" "docker" "libvirtd" "video" "render" ];
    openssh.authorizedKeys.keys = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGAsiKDWCwyf1usprg3K6Zk0xE9S4DX6+Bc4+nIOZGmf drezil@Manticore"
    ];
  };

  users.users.kodi = {
    isNormalUser  = true;
    home          = "/home/kodi";
    description   = "Kodi Auto-Login User";
    extraGroups   = [ "video" "render" ];   # GPU-/DRM-Zugriff
    linger        = true;                  # User-Scope darf headless laufen
    # kein wheel ⇒ kein sudo
  };


  system.stateVersion = "25.05";   # ← einmalig festnageln
  security.sudo.wheelNeedsPassword = false;
  services.openssh.enable = true;
  services.zfs.autoScrub.enable = true;   # Snapshots & Details kommen später

  systemd.services.zfs-prune-snapshots = {
    description = "Remove ZFS snapshots older than policy";
    serviceConfig.ExecStart = "/run/current-system/sw/bin/zfs-prune-snapshots -r --keep=2w";
    startAt = "daily";
  };
  systemd.services.systemd-udev-settle.enable = false;
  systemd.services.NetworkManager-wait-online.enable = false;
   
   
  # Wir pinnen den Kernel, bis ZFS 2.3.x für 6.13 bereit ist
  boot.kernelPackages = pkgs.linuxPackages_6_12;

  environment.systemPackages = with pkgs; [ git vim zfs virt-viewer kodi ];


  #### Virtualisation

  virtualisation.docker.enable = true;
  virtualisation.libvirtd.enable = true;
  users.groups.docker.members = [ "nicole" ];
  programs.virt-manager.enable = true;


  #### nix-Cache
  # --- Binary-Cache
  services.nix-serve = {
    enable          = true;
    secretKeyFile   = "/var/cache/nix/secret-key";
    openFirewall    = true;
    port            = 5000;
  };
  
  nix.settings = {
    substituters        = [ "http://nix-nas:5000" "https://cache.nixos.org" ];
    trusted-public-keys = [
      "nas-cache:rgCDn9SwmvxvhjiEiRgrjAuAEyRiJT/aBIlywetuypM="
      "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="      # Standard-Key vom upstream Cache
    ];
    secret-key-files    = [ "/var/cache/nix/secret-key" ];
  };

  ##########################################################################
  ### Kodi & TV-Detect #####################################################
  ##########################################################################


  services.xserver = {
    enable = true;
    videoDrivers = [ "modesetting" ];     # Intel iGPU
    desktopManager.kodi = {
      enable = true;
      package = (pkgs.kodi.withPackages (kodiPkgs: with kodiPkgs; [
        jellyfin
        netflix
        mediacccde
        mediathekview
        sponsorblock
        youtube
      ]));
    };
    displayManager.startx.enable = false; # nutzt LightDM intern
  };
  services.displayManager.autoLogin = {
    enable = true;
    user   = "kodi";
  };

  ### UDEV-Regel + Skript ##################################################
  services.udev.extraRules = ''
    ACTION=="change", SUBSYSTEM=="drm", ENV{HOTPLUG}=="1", RUN+="${hdmiHandler}"
  '';

}