{ config, pkgs, ... }:

{
  system.stateVersion = "24.11";

  networking.hostName = "noisebridge-pi";

  networking.wireless = {
    enable = true;
    networks."Noisebridge".psk = "noisebridge";
  };

  services.avahi = {
    enable = true;
    nssmdns4 = true;
    publish = {
      enable = true;
      addresses = true;
    };
  };

  # Decrypted at runtime by agenix
  age.secrets.tailscale-auth-key.file = ./secrets/tailscale-auth-key.age;

  age.secrets.api-key = {
    file = ./secrets/api-key.age;
    owner = "noisebell";
  };
  age.secrets.inbound-api-key = {
    file = ./secrets/inbound-api-key.age;
    owner = "noisebell";
  };

  services.noisebell = {
    enable = true;
    port = 80;
    endpointUrl = "https://noisebell.extremist.software/webhook";
    apiKeyFile = config.age.secrets.api-key.path;
    inboundApiKeyFile = config.age.secrets.inbound-api-key.path;
  };

  nix.settings.experimental-features = [ "nix-command" "flakes" ];

  services.tailscale = {
    enable = true;
    authKeyFile = config.age.secrets.tailscale-auth-key.path;
  };

  services.openssh.enable = true;

  networking.firewall = {
    trustedInterfaces = [ "tailscale0" ];
    allowedUDPPorts = [ config.services.tailscale.port ];
  };

  users.users.root.openssh.authorizedKeys.keys = [
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE40ISu3ydCqfdpb26JYD5cIN0Fu0id/FDS+xjB5zpqu"
  ];
}