{ inputs, config, lib, pkgs, ... }:

{
  imports =
    [
      ./hardware-configuration.nix
      ../modules/nasp.nix
    ];

  nasp = {
    enable = true;
  };

  ## nix
  nix.settings.experimental-features = [ "nix-command" "flakes" ];
  ## hardware and system
  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;
  time.hardwareClockInLocalTime = true;
  ## network
  services.resolved.enable = true;
  networking.nameservers = [
    "166.111.8.29"
    "166.111.8.28"
  ];
  networking.networkmanager.enable = false;
  networking.useDHCP = false;
  systemd.network.enable = true;
  networking.firewall.allowedTCPPorts = [ 80 443 12022 ];
  ## packages and services
  nixpkgs.config.allowUnfree = true;
  ## desktop
  services.xserver = {
    enable = true;
    displayManager.gdm.enable = true;
    desktopManager.gnome.enable = true;
    xkb.layout = "us";
  };

  # networking
  networking.hostName = "web-server";
  systemd.network.networks."10-thunet" = {
    matchConfig.Name = "enp3s0f0";
    networkConfig = {
      DHCP = "no";
      IPv6AcceptRA = false;
    };
    address = [ "166.111.68.109/28" ];
    routes = [
      {
        routeConfig = {
          Gateway = "166.111.68.97";
          GatewayOnLink = true;
          Metric = 90;
        };
      }
    ];
  };

  # service: nginx
  services.nginx = {
    enable = true;
    virtualHosts."nasp.cs.tsinghua.edu.cn" = {
      http2 = true;
      addSSL = true;
      enableACME = true;
      locations."/" = {
        root = "/data0/var/www/www";
      };
    };
  };
  security.acme = {
    acceptTerms = true;
    defaults.email = "xd21@mails.tsinghua.edu.cn";
  };

  system.stateVersion = "24.05";
}