{ config, lib, ... }:

with lib;
let
  psCfg = config.pub-solar;
  cfg = config.pub-solar.paranoia;
in
{
  options.pub-solar.paranoia = {
    enable = mkOption {
      description = ''
        Only offer hibernation instead of screen locking and sleeping. This only makes sense
        if your hard drive is encrypted, and ensures that the contents of your drive are
        encrypted if you are not actively using the device.
      '';
      default = false;
      type = types.bool;
    };
  };

  config = mkIf cfg.enable {
    pub-solar.core.hibernation.enable = true;
    services.logind.lidSwitch = "hibernate";

    # The options below are directly taken from or inspired by
    # https://xeiaso.net/blog/paranoid-nixos-2021-07-18

    # Don't set this if you need sftp
    services.openssh.allowSFTP = false;
    services.openssh.openFirewall = false; # Lock yourself out

    # Limit the use of sudo to the group wheel
    security.sudo.execWheelOnly = true;

    # Remove the complete default environment of packages like
    # nano, perl and rsync
    environment.defaultPackages = lib.mkForce [ ];

    # fileSystems."/".options = [ "noexec" ];

    services.openssh = {
      kbdInteractiveAuthentication = false;
      extraConfig = ''
        AllowTcpForwarding yes
        X11Forwarding no
        AllowAgentForwarding no
        AllowStreamLocalForwarding no
        AuthenticationMethods publickey
      '';
    };
  };
}