# SPDX-FileCopyrightText: 2025 Elias Coppens <elias@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2

{
  pkgs,
  lib,
  meta,
  ...
}:
{
  config = {
    dgn-access-control.users = lib.genAttrs meta.organization.groups.nix-builder (u: lib.singleton u);

    security.pam.loginLimits = [
      {
        domain = "*";
        item = "nofile";
        type = "-";
        value = "20480";
      }
    ];

    systemd.services.nix-daemon.serviceConfig = {
      MemoryAccounting = true;
      MemoryMax = "450G";
      MemoryHigh = "440G";
      MemorySwapMax = "2G";
      ManagedOOMSwap = "kill";
      ManagedOOMMemoryPressure = "kill";
      MemoryPressureWatch = "on";
    };

    nix = {
      gc = {
        automatic = true;
        dates = lib.mkForce "*:45";
        options = lib.mkForce ''--max-freed "$((128 * 1024**3 - 1024 * $(df -P -k /nix/store | tail -n 1 | ${pkgs.gawk}/bin/awk '{ print $4 }')))"'';

        randomizedDelaySec = "1800";
      };

      nrBuildUsers = 128;

      settings = {
        keep-outputs = false;
        keep-derivations = false;
        use-cgroups = true;
        http-connections = 0;
        auto-allocate-uids = true;
        cores = 0;
        max-jobs = 8;
        fsync-metadata = true;
        experimental-features = [
          "auto-allocate-uids"
          # "ca-derivations" this feature is really extremely broken.
          "cgroups"
          "fetch-closure"
          "impure-derivations"
        ];
      };
    };
  };
}