{ self, ... }:
{
  pkgs,
  config,
  modulesPath,
  lib,
  ...
}:
{
  imports = [
    "${modulesPath}/profiles/qemu-guest.nix"

    ../../users/root
    ../../users/erwin

    ./caddy
  ];

  eboskma = {
    users.erwin = {
      enable = true;
      server = true;
    };
    headscale = {
      enable = false;
      baseDomain = "asgard.datarift.nl";
      serverUrl = "https://heimdall.datarift.nl";
    };
    keycloak.enable = true;
    nix-common = {
      enable = true;
    };
  };

  networking = {
    hostName = "heimdall";
    domain = "datarift.nl";

    usePredictableInterfaceNames = lib.mkForce false;
    useDHCP = false;
    networkmanager.enable = false;
    useNetworkd = true;
    firewall.trustedInterfaces = [ "tailscale0" ];
  };

  systemd = {
    network = {
      enable = true;

      networks = {
        "40-eth0" = {
          matchConfig = {
            Name = "eth0";
          };

          networkConfig = {
            Address = [
              "159.69.211.175/32"
              "2a01:4f8:1c1e:5fb2::1/64"
              "fe80::9400:2ff:fe12:a2eb/64"
            ];
            DHCP = "no";
            Gateway = [
              "172.31.1.1"
              "fe80::1"
            ];
          };

          routes = [
            {
              Destination = "172.31.1.1/32";
              Scope = "link";
              Protocol = "static";
            }
            {
              Destination = "fe80::1/128";
              Scope = "link";
              Protocol = "static";
            }
          ];
        };
      };
    };

    services.caddy.serviceConfig.EnvironmentFile = [ config.sops.secrets.caddy-env.path ];
  };

  ### Hetzner stuff
  boot = {
    tmp.cleanOnBoot = true;
    loader.grub.device = "/dev/sda";
    initrd = {
      availableKernelModules = [
        "ata_piix"
        "uhci_hcd"
        "xen_blkfront"
        "vmw_pvscsi"
      ];
      kernelModules = [ "nvme" ];
    };
  };

  fileSystems."/" = {
    device = "/dev/sda1";
    fsType = "ext4";
  };

  zramSwap.enable = true;
  ### END Hetzner stuff

  time.timeZone = "Europe/Amsterdam";

  system.configurationRevision = self.inputs.nixpkgs.lib.mkIf (self ? rev) self.rev;

  services = {
    udev.extraRules = ''
      ATTR{address}=="96:00:02:12:a2:eb", NAME="eth0"
    '';

    openssh = {
      enable = true;
      settings = {
        PasswordAuthentication = false;
      };
    };
    tailscale = {
      enable = true;
      permitCertUid = "caddy";
    };

    caddy = {
      package = pkgs.caddy-cloudflare;

      virtualHosts = {
        "garfield.datarift.nl" =
          let
            webRoot = pkgs.writeTextDir "index.html" (builtins.readFile ../proxy/index.html);
          in
          {
            extraConfig = ''
              root * ${webRoot}
              rewrite * /index.html
              file_server
            '';
          };
      };
    };
  };

  security = {
    sudo-rs = {
      enable = true;
    };
    sudo.enable = false;

    apparmor = {
      enable = true;
      killUnconfinedConfinables = true;
    };
    protectKernelImage = true;
  };

  sops.defaultSopsFile = ./secrets.yaml;
  sops.secrets = {
    keycloak-db-password = { };
    caddy-env = { };
  };

  system.stateVersion = "23.05";
}