{
  self,
  caddy-with-plugins,
  ...
}:
{
  pkgs,
  modulesPath,
  lib,
  config,
  ...
}:
{
  imports = [
    (modulesPath + "/virtualisation/lxc-container.nix")
    ../../users/root
    ../../users/erwin
  ];

  eboskma = {
    users.erwin = {
      enable = true;
      server = true;
    };
    caddy-proxy = {
      enable = true;
      package = caddy-with-plugins.packages.${pkgs.system}.caddy-with-cloudflare;
      proxyHosts = [
        {
          externalHostname = "nix-cache.datarift.nl";
          proxyAddress = "127.0.0.1:8080";
        }
      ];

    };
    nix-common = {
      enable = true;
      remote-builders = true;
    };
    tailscale.enable = true;
  };

  time.timeZone = "Europe/Amsterdam";
  system.configurationRevision = lib.mkIf (self ? rev) self.rev;

  networking = {
    hostName = "nix-cache";
    useDHCP = false;
    useHostResolvConf = false;
    networkmanager.enable = false;
    useNetworkd = true;

    firewall = {
      trustedInterfaces = [ "tailscale0" ];
      allowPing = true;

      allowedTCPPorts = [
        80
        443
      ];
    };
  };

  systemd = {
    network = {
      enable = true;

      wait-online.anyInterface = true;

      networks = {
        "40-eth0" = {
          matchConfig = {
            Name = "eth0";
          };

          networkConfig = {
            Address = "10.0.0.209/24";
            Gateway = "10.0.0.1";
            DNS = "10.0.0.206";
            DHCP = "no";
          };
        };
      };
    };

    services.caddy.serviceConfig.EnvironmentFile = [ config.sops.secrets.caddy-env.path ];
  };

  security = {
    sudo-rs = {
      enable = true;
      execWheelOnly = true;
      wheelNeedsPassword = false;
    };
    sudo.enable = false;
  };

  services = {
    atticd = {
      enable = true;

      environmentFile = config.sops.secrets.attic-credentials.path;
      settings = {
        listen = "127.0.0.1:8080";

        garbage-collection = {
          default-retention-period = "6 weeks";
        };

        storage = {
          type = "s3";
          bucket = "nix-cache";
          endpoint = "https://minio.datarift.nl";
          region = "local";
        };

        # Data chunking
        #
        # Warning: If you change any of the values here, it will be
        # difficult to reuse existing chunks for newly-uploaded NARs
        # since the cutpoints will be different. As a result, the
        # deduplication ratio will suffer for a while after the change.
        chunking = {
          # The minimum NAR size to trigger chunking
          #
          # If 0, chunking is disabled entirely for newly-uploaded NARs.
          # If 1, all NARs are chunked.
          nar-size-threshold = 256 * 1024; # 256 KiB

          # The preferred minimum size of a chunk, in bytes
          min-size = 128 * 1024; # 128 KiB

          # The preferred average size of a chunk, in bytes
          avg-size = 256 * 1024; # 256 KiB

          # The preferred maximum size of a chunk, in bytes
          max-size = 1024 * 1024; # 1024 KiB
        };
      };
    };

  };

  sops.defaultSopsFile = ./secrets.yaml;
  sops.secrets = {
    attic-credentials = { };
    caddy-env = { };
  };

  system.stateVersion = "24.05";
}