{ self, ... }:
{ modulesPath, lib, ... }:
{
  imports = [
    (modulesPath + "/virtualisation/lxc-container.nix")
    ../../users/root
    ../../users/erwin
  ];

  eboskma = {
    users.erwin = {
      enable = true;
      server = true;
    };
    nix-common = {
      enable = true;
      remote-builders = true;
    };
    tailscale.enable = true;
  };

  services.k3s = {
    enable = true;
    extraFlags = "--tls-san=10.0.0.208";
  };

  time.timeZone = "Europe/Amsterdam";

  system.configurationRevision = self.inputs.nixpkgs.lib.mkIf (self ? rev) self.rev;

  networking = {
    hostName = "k3s-test";
    useDHCP = false;
    useHostResolvConf = false;
    networkmanager.enable = false;
    useNetworkd = true;

    firewall = {
      trustedInterfaces = [ "tailscale0" ];
      allowPing = true;
      allowedTCPPorts = [ 6443 ];
    };
  };

  systemd = {
    network = {
      enable = true;

      wait-online.anyInterface = true;

      networks = {
        "40-eth0" = {
          matchConfig = {
            Name = "eth0";
          };

          networkConfig = {
            Address = "10.0.0.208/24";
            Gateway = "10.0.0.1";
            DNS = "10.0.0.206";
            DHCP = "no";
          };
        };
      };
    };

    tmpfiles.rules = [ "L /dev/kmsg - - - - /dev/console" ];
  };

  security = {
    sudo-rs = {
      enable = true;
      execWheelOnly = true;
      wheelNeedsPassword = false;
    };
    sudo.enable = false;
  };

  sops.defaultSopsFile = ./secrets.yaml;
  sops.secrets = { };

  system.stateVersion = "24.05";
}