{ self, ... }:
{ modulesPath, pkgs, ... }:
{
  imports = [
    (modulesPath + "/virtualisation/lxc-container.nix")
    ../../users/root
    ../../users/erwin
  ];

  eboskma = {
    users.erwin = {
      enable = true;
      server = true;
    };
    nix-common = {
      enable = true;
      remote-builders = true;
    };
    caddy-proxy = {
      enable = true;
      package = pkgs.caddy-cloudflare;
      proxyHosts = [
        {
          externalHostname = "home.datarift.nl";
          proxyAddress = "homeassistant.barn-beaver.ts.net:8123";
          external = true;
        }
        {
          externalHostname = "frigate.datarift.nl";
          proxyAddress = "frigate.barn-beaver.ts.net:8971";
        }
        {
          externalHostname = "minio.datarift.nl";
          proxyAddress = "minio.barn-beaver.ts.net:9000";
          external = true;
        }
        {
          externalHostname = "minio-admin.datarift.nl";
          proxyAddress = "minio.barn-beaver.ts.net:9001";
        }
        {
          externalHostname = "saga.datarift.nl";
          proxyAddress = "saga.barn-beaver.ts.net:3000";
        }
        {
          externalHostname = "unifi.datarift.nl";
          proxyAddress = "unifi.barn-beaver.ts.net:8443";
        }
      ];
    };
    tailscale.enable = true;
  };

  boot = {
    isContainer = true;
    kernel.sysctl = {
      "net.core.rmem_max" = 2500000;
      "net.core.wmem_max" = 2500000;
    };
  };

  time.timeZone = "Europe/Amsterdam";

  system.configurationRevision = self.inputs.nixpkgs.lib.mkIf (self ? rev) self.rev;

  networking = {
    hostName = "proxy";
    useDHCP = false;
    useHostResolvConf = false;
    networkmanager.enable = false;
    useNetworkd = true;
    nftables.enable = true;

    firewall.trustedInterfaces = [ "tailscale0" ];
  };

  systemd = {
    services.logrotate-checkconf.enable = false;

    network = {
      enable = true;

      wait-online.anyInterface = true;

      networks = {
        "40-eth0" = {
          matchConfig = {
            Name = "eth0";
          };

          networkConfig = {
            # Address = "10.0.0.251/24";
            # Gateway = "10.0.0.1";
            # DNS = "10.0.0.206";
            DHCP = "yes";
          };
        };
      };
    };
  };

  security = {
    sudo-rs = {
      enable = true;
      execWheelOnly = true;
      wheelNeedsPassword = false;
    };
    sudo.enable = false;
  };

  services = {
    caddy = {
      virtualHosts = {
        "garfield.datarift.nl" =
          let
            webRoot = pkgs.writeTextDir "index.html" (builtins.readFile ./index.html);
          in
          {
            extraConfig = ''
              root * ${webRoot}
              rewrite * /index.html
              file_server
              tls {
                dns cloudflare {env.CF_API_TOKEN}
                resolvers 1.1.1.1
              }
            '';
          };
      };
    };
  };

  sops.defaultSopsFile = ./secrets.yaml;
  sops.secrets = {
    caddy-env = { };
  };

  system.stateVersion = "24.05";
}