{ config, pkgs, ... }:

{
  security.sudo.wheelNeedsPassword = false;
  imports =
    [ ./hardware-configuration.nix ];
  networking.hostName = "tesla-nixos";
  boot.initrd.enable = true;
  boot.loader = {
    systemd-boot = {
      enable = true;
    }; # end loader.systemd-boot
  }; # end boot
  virtualisation.oci-containers.containers = {
    isponsorblocktv = {
      image = "ghcr.io/dmunozv04/isponsorblocktv:latest";
      autoStart = true;
      volumes = [
        "/home/alisceon/isponsorblocktv:/app/data"
      ];
    }; # end isponsorblocktv
  };
  
  boot.kernel.sysctl = {
    "kernel.unprivileged_userns_clone" = 1;
  };

  systemd.tmpfiles.rules = [
    "d /var/lib/gitlab-runner          0755 root root -"
    "d /var/lib/gitlab-runner/builds   0755 root root -"
    "d /var/lib/gitlab-runner/cache    0755 root root -"
  ];

  networking.nat = {
    enable = true;
    internalInterfaces = ["ve-+"];
    externalInterface = "ens18";
  };

  containers.gitlab-runner = {
    autoStart = true;
    ephemeral = false;

    privateNetwork = true;
    hostAddress  = "10.250.0.1";   # host end of veth
    localAddress = "10.250.0.2";   # container end of veth

    bindMounts = {
      "/var/lib/gitlab-runner" = {
        hostPath = "/var/lib/gitlab-runner";
        isReadOnly = false;
      };
      "/var/lib/gitlab-runner/builds" = {
        hostPath = "/var/lib/gitlab-runner/builds";
        isReadOnly = false;
      };
      "/var/lib/gitlab-runner/cache" = {
        hostPath = "/var/lib/gitlab-runner/cache";
        isReadOnly = false;
      };
    };

    # Guest (inside the nspawn container)
    config = { pkgs, ... }: {
      networking.hostName = "ci-nspawn";
      time.timeZone = "UTC";
      # Docker daemon inside the container
      virtualisation.docker = {
        enable = true;
      };

      environment.systemPackages = with pkgs; [
        docker
        git
      ];
      systemd.services."enable-linger-gitlab-runner" = {
        description = "Enable linger for gitlab-runner";
        wantedBy = [ "multi-user.target" ];
        serviceConfig = {
          Type = "oneshot";
          ExecStart = "${pkgs.systemd}/bin/loginctl enable-linger gitlab-runner";
          RemainAfterExit = true;
        };
      };

      # GitLab Runner configured to use the local Docker daemon
      services.gitlab-runner = {
        enable = true;
        services = {
          ci-nspawn-docker = {
            authenticationTokenConfigFile = "/var/lib/gitlab-runner/token-env";

            executor = "docker";
            dockerImage = "alpine:3";
            dockerPrivileged = true;
            dockerVolumes = [
              "/var/lib/gitlab-runner/cache:/cache"
            ];
          };
        };
      };
      systemd.services.gitlab-runner.serviceConfig = {
        StateDirectory = lib.mkForce "";
        LogsDirectory  = lib.mkForce "";
        CacheDirectory = lib.mkForce "";
        RuntimeDirectory = lib.mkForce "";  # optional, keeps things simple
      };
      # Basics
      systemd.oomd.enable = false;
      services.dbus.enable = true;
    };
  }; # end containers.gitlab-runner

} # end file