{ self, ... }:
{ pkgs, modulesPath, ... }:
{
  imports = [
    (modulesPath + "/virtualisation/lxc-container.nix")

    ./backup.nix
    ../../users/root
    ../../users/erwin
  ];

  eboskma = {
    users.erwin = {
      enable = true;
      server = true;
    };
    caddy-proxy = {
      enable = true;
      package = pkgs.caddy-cloudflare;
      proxyHosts = [
        {
          externalHostname = "minio.datarift.nl";
          proxyAddress = "127.0.0.1:9000";
          external = true;
        }
        {
          externalHostname = "minio-admin.datarift.nl";
          proxyAddress = "127.0.0.1:9001";
        }
      ];
    };
    services = {
      minio.enable = true;
    };
    nix-common = {
      enable = true;
      remote-builders = true;
    };
    tailscale.enable = true;
  };

  time.timeZone = "Europe/Amsterdam";

  system.configurationRevision = self.inputs.nixpkgs.lib.mkIf (self ? rev) self.rev;

  networking = {
    hostName = "minio";
    useDHCP = false;
    useHostResolvConf = false;
    networkmanager.enable = false;
    useNetworkd = true;
    nftables.enable = true;

    firewall.trustedInterfaces = [ "tailscale0" ];
  };

  systemd.network = {
    enable = true;

    wait-online.anyInterface = true;

    networks = {
      "40-eth0" = {
        matchConfig = {
          Name = "eth0";
        };

        networkConfig = {
          # Address = "10.0.0.204/24";
          # Gateway = "10.0.0.1";
          # DNS = "10.0.0.206";
          DHCP = "yes";
        };
      };
    };
  };

  security = {
    sudo-rs = {
      enable = true;
      execWheelOnly = true;
      wheelNeedsPassword = false;
    };
    sudo.enable = false;
  };

  sops.defaultSopsFile = ./secrets.yaml;
  sops.secrets = {
    minio-root-credentials = { };
    minio_backup_ssh_key = { };
    minio_backup_pass = { };
    caddy-env = { };
  };

  system.stateVersion = "24.05";
}