{ self, ... }:
{
  pkgs,
  modulesPath,
  lib,
  ...
}:
{
  imports = [
    "${modulesPath}/profiles/qemu-guest.nix"

    ../../users/root
    ../../users/erwin

    ./caddy
  ];

  eboskma = {
    users.erwin = {
      enable = true;
      server = true;
    };
    headscale = {
      enable = false;
      baseDomain = "asgard.datarift.nl";
      serverUrl = "https://heimdall.datarift.nl";
    };
    keycloak.enable = true;
    nix-common = {
      enable = true;
    };
  };

  networking = {
    hostName = "heimdall";
    domain = "datarift.nl";

    usePredictableInterfaceNames = lib.mkForce false;
    useDHCP = false;
    networkmanager.enable = false;
    useNetworkd = true;
    firewall.trustedInterfaces = [ "tailscale0" ];
  };

  systemd.network = {
    enable = true;

    networks = {
      "40-eth0" = {
        matchConfig = {
          Name = "eth0";
        };

        networkConfig = {
          Address = [
            "159.69.211.175/32"
            "2a01:4f8:1c1e:5fb2::1/64"
            "fe80::9400:2ff:fe12:a2eb/64"
          ];
          DHCP = "no";
          Gateway = [
            "172.31.1.1"
            "fe80::1"
          ];
        };

        routes = [
          {
            Destination = "172.31.1.1/32";
            Scope = "link";
            Protocol = "static";
          }
          {
            Destination = "fe80::1/128";
            Scope = "link";
            Protocol = "static";
          }
        ];
      };
    };
  };

  ### Hetzner stuff
  boot = {
    tmp.cleanOnBoot = true;
    loader.grub.device = "/dev/sda";
    initrd = {
      availableKernelModules = [
        "ata_piix"
        "uhci_hcd"
        "xen_blkfront"
        "vmw_pvscsi"
      ];
      kernelModules = [ "nvme" ];
    };
  };

  fileSystems."/" = {
    device = "/dev/sda1";
    fsType = "ext4";
  };

  zramSwap.enable = true;
  ### END Hetzner stuff

  time.timeZone = "Europe/Amsterdam";

  system.configurationRevision = self.inputs.nixpkgs.lib.mkIf (self ? rev) self.rev;

  services = {
    udev.extraRules = ''
      ATTR{address}=="96:00:02:12:a2:eb", NAME="eth0"
    '';

    openssh = {
      enable = true;
      settings = {
        PasswordAuthentication = false;
      };
    };
    tailscale = {
      enable = true;
      permitCertUid = "caddy";
    };

    caddy = {
      virtualHosts = {
        "garfield.datarift.nl" =
          let
            webRoot = pkgs.writeTextDir "index.html" (builtins.readFile ../proxy/index.html);
          in
          {
            extraConfig = ''
              root * ${webRoot}
              rewrite * /index.html
              file_server
            '';
          };

        "boskma.frl" = {
          extraConfig = ''
            root * /var/www/boskma.frl
            file_server
          '';
        };
      };
    };
  };

  security = {
    sudo-rs = {
      enable = true;
    };
    sudo.enable = false;

    apparmor = {
      enable = true;
      killUnconfinedConfinables = true;
    };
    protectKernelImage = true;
  };

  sops.defaultSopsFile = ./secrets.yaml;
  sops.secrets = {
    keycloak-db-password = { };
    caddy-env = { };
  };

  system.stateVersion = "23.05";
}