# KAWA OS - Module NixOS principal
# Configuration automatique pour rejoindre le mesh KAWA

{ config, lib, pkgs, ... }:

with lib;

let
  cfg = config.services.kawa;
in
{
  options.services.kawa = {
    enable = mkEnableOption "KAWA mesh network";
    
    hostname = mkOption {
      type = types.str;
      default = "kawa-node";
      description = "Hostname du nœud KAWA (fixe, pas dynamique)";
    };
    
    headscaleUrl = mkOption {
      type = types.str;
      default = "https://headscale.du-senegal.com";
      description = "URL du serveur Headscale";
    };
    
    authKey = mkOption {
      type = types.str;
      default = "f43f36ef159b3df799eb316b81bdac1b415c7cc2add174d0";
      description = "Clé d'authentification Headscale";
    };
    
    natsServer = mkOption {
      type = types.str;
      default = "100.64.0.1:4222";
      description = "Serveur NATS";
    };
    
    enableOllama = mkOption {
      type = types.bool;
      default = false;
      description = "Activer Ollama";
    };
    
    enableSyncthing = mkOption {
      type = types.bool;
      default = true;
      description = "Activer Syncthing";
    };
  };

  config = mkIf cfg.enable {
    # Hostname fixe (pas de lecture /sys)
    networking.hostName = cfg.hostname;
    
    # Tailscale
    services.tailscale = {
      enable = true;
      extraUpFlags = [
        "--login-server=${cfg.headscaleUrl}"
        "--authkey=${cfg.authKey}"
        "--force-reauth"
      ];
    };
    
    # NATS (options corrigées pour Nixpkgs récent)
    services.nats = {
      enable = true;
      settings = {
        port = 4222;
        http_port = 8222;
      };
    };
    
    # Ollama (optionnel)
    services.ollama = mkIf cfg.enableOllama {
      enable = true;
      acceleration = null; # CPU uniquement
      host = "0.0.0.0";
      port = 11434;
    };
    
    # Syncthing
    services.syncthing = mkIf cfg.enableSyncthing {
      enable = true;
      user = "kawa";
      group = "kawa";
    };
    
    # SSH
    services.openssh = {
      enable = true;
      settings = {
        PermitRootLogin = "yes";
        PasswordAuthentication = true;
      };
    };
    
    # Firewall
    networking.firewall = {
      allowedTCPPorts = [ 22 4222 22000 11434 ];
      allowedUDPPorts = [ 41641 22000 ];
      trustedInterfaces = [ "tailscale0" ];
    };
    
    # Utilisateur KAWA
    users.users.kawa = {
      isNormalUser = true;
      extraGroups = [ "wheel" "networkmanager" "tailscale" ];
      initialPassword = "kawa2026";
    };
    
    # Packages
    environment.systemPackages = with pkgs; [
      git
      vim
      tailscale
      nats-cli
      curl
      wget
      htop
    ];
  };
}