# ============================================================================
# USDA Dashboard External System Module
# ============================================================================
# External system configuration for usda-dash
#
# USAGE FROM ATHENIX:
#
# 1. Add required flake inputs in athenix/flake.nix:
#
#   inputs.usda-vision = {
#     url = "git+https://git.factory.uga.edu/MODEL/usda-vision.git";
#     inputs.nixpkgs.follows = "nixpkgs";
#   };
#
# 2. Pass inputs to modules via specialArgs:
#
#   nixosConfigurations.proxmox-usda-dash = nixpkgs.lib.nixosSystem {
#     specialArgs = { inherit inputs; };
#     modules = [
#       ./path/to/usda-dash-config/default.nix
#     ];
#   };
#
# 3. Configure secrets in athenix:
#
#   age.secrets.usda-vision-env.file = ./secrets/usda-vision/env.age;

{ inputs, ... }:
{ config, lib, pkgs, ... }:

{
  imports = [
    # Import the usda-vision NixOS module
    inputs.usda-vision.nixosModules.default
  ];

  config = {
    # Enable and configure usda-vision
    services.usda-vision = {
      enable = true;
      package = inputs.usda-vision.packages.${pkgs.system};
      hostname = "192.168.1.156";
      replaceHostnames = true;
      envFile = config.age.secrets.usda-vision-env.path or null;
    };

    # Nix configuration for LXC container
    nix.settings = {
      sandbox = false;
      experimental-features = [ "nix-command" "flakes" ];
    };

    # LXC-specific settings for nested containers
    boot.kernel.sysctl = {
      "net.ipv4.ip_forward" = 1;
      "net.ipv4.conf.all.forwarding" = 1;
    };

    # Configure users
    athenix.users.sv22900.enable = true;
    users.users.sv22900.extraGroups = [ "docker" ];
    users.users.engr-ugaif.extraGroups = [ "docker" ];

    # Additional system packages
    environment.systemPackages = with pkgs; [
      git
      vim
      htop
      curl
      wget
      nfs-utils
    ];

    # NFS mount
    services.rpcbind.enable = true;
    fileSystems."/mnt/nfs_share" = {
      device = "192.168.1.249:/mnt/nfs_share";
      fsType = "nfs";
      options = [ "nfsvers=4" "rw" "soft" "_netdev" ];
    };

    systemd.tmpfiles.rules = [
      "d /mnt/nfs_share 0755 root root -"
    ];

    # Firewall configuration
    networking.firewall = {
      enable = false;
      allowedTCPPorts = [
        80 443 3000 3001 3002 3003 4000
        54321 54322 54323 54324 54327
        8000 8025 8090 8189 8554 8889
      ];
      allowedUDPPorts = [ 3956 ];
      allowPing = true;
    };
  };
}