1{
  2  globals,
  3  libx,
  4  pkgs,
  5  ...
  6}:
  7{
  8  imports = [
  9    ../common/services/prometheus-exporters-node.nix
 10    ../common/services/containers.nix
 11    ../common/services/docker.nix
 12    ../common/services/libvirt.nix
 13  ];
 14
 15  age.secrets."aria2RPCSecret" = {
 16    file = ../../secrets/shikoku/aria2rpcsecret.age;
 17    mode = "444";
 18    owner = "aria2";
 19    group = "aria2";
 20  };
 21  nixpkgs.config.permittedInsecurePackages = [
 22    "dotnet-sdk-6.0.428"
 23    "aspnetcore-runtime-6.0.36"
 24  ];
 25
 26  # TODO make it an option ? (otherwise I'll add it for all)
 27  users.users.vincent.linger = true;
 28
 29  services = {
 30    wireguard = {
 31      enable = true;
 32      ips = libx.wg-ips globals.machines.shikoku.net.vpn.ips;
 33      endpoint = "${globals.net.vpn.endpoint}";
 34      endpointPublicKey = "${globals.machines.kerkouane.net.vpn.pubkey}";
 35    };
 36    aria2 = {
 37      enable = true;
 38      openPorts = true;
 39      # extraArguments = "--max-concurrent-downloads=20";
 40      settings = {
 41        max-concurrent-downloads = 20;
 42      };
 43      downloadDir = "/data/downloads";
 44      rpcSecretFile = "${pkgs.writeText "aria" "aria2rpc\n"}";
 45    };
 46    bazarr = {
 47      enable = true;
 48      # Use reverse proxy instead
 49      openFirewall = true;
 50    };
 51    radarr = {
 52      enable = true;
 53      # Use reverse proxy instead
 54      openFirewall = true;
 55    };
 56    sonarr = {
 57      enable = true;
 58      # Use reverse proxy instead
 59      openFirewall = true;
 60    };
 61    prowlarr = {
 62      enable = true;
 63      # Use reverse proxy instead
 64      openFirewall = true;
 65    };
 66    readarr = {
 67      enable = true;
 68      # Use reverse proxy instead
 69      openFirewall = true;
 70    };
 71    lidarr = {
 72      enable = true;
 73      # Use reverse proxy instead
 74      openFirewall = true;
 75    };
 76    smartd = {
 77      enable = true;
 78      devices = [ { device = "/dev/nvme0n1"; } ];
 79    };
 80    ollama = {
 81      enable = true;
 82      package = pkgs.ollama.override {
 83        config.cudaSupport = true;
 84        config.rocmSupport = false;
 85      };
 86      acceleration = "cuda"; # no nivida :D
 87    };
 88  };
 89
 90  # Move this to a "builder" role, or maybe I don't need this anymore ?
 91  users.extraUsers.builder = {
 92    isNormalUser = true;
 93    uid = 1018;
 94    extraGroups = [ ];
 95    openssh.authorizedKeys.keys = [ (builtins.readFile ../../secrets/builder.pub) ];
 96  };
 97  nix.settings.trusted-users = [
 98    "root"
 99    "vincent"
100    "builder"
101  ];
102}