{ self, ... }:
{ modulesPath, ... }:
{
  imports = [
    (modulesPath + "/virtualisation/lxc-container.nix")
    ../../users/root
    ../../users/erwin
  ];

  eboskma = {
    users.erwin = {
      enable = true;
      server = true;
    };
    nix-common = {
      enable = true;
      remote-builders = true;
    };
    tailscale.enable = true;
    woodpecker.enable = true;
  };

  boot.isContainer = true;

  time.timeZone = "Europe/Amsterdam";

  system.configurationRevision = self.inputs.nixpkgs.lib.mkIf (self ? rev) self.rev;

  networking = {
    hostName = "ci";
    useDHCP = false;
    useHostResolvConf = false;
    networkmanager.enable = false;
    useNetworkd = true;
    nftables.enable = false;

    firewall = {
      trustedInterfaces = [ "tailscale0" ];
      interfaces."podman+" = {
        allowedUDPPorts = [ 53 ];
        allowedTCPPorts = [ 53 ];
      };
    };
  };

  virtualisation.podman = {
    enable = true;
    autoPrune = {
      enable = true;
      dates = "weekly";
    };

    defaultNetwork.settings.dns_enabled = true;
  };

  systemd.network = {
    enable = true;

    wait-online.anyInterface = true;

    networks = {
      "40-eth0" = {
        matchConfig = {
          Name = "eth0";
        };

        networkConfig = {
          Address = "10.0.0.202/24";
          Gateway = "10.0.0.1";
          DNS = "10.0.0.206";
          DHCP = "no";
        };
      };
    };
  };

  security = {
    sudo-rs = {
      enable = true;
      execWheelOnly = true;
      wheelNeedsPassword = false;
    };
    sudo.enable = false;
  };

  sops.defaultSopsFile = ./secrets.yaml;
  sops.secrets = {
    woodpecker-server = { };
    woodpecker-agent = { };
  };

  system.stateVersion = "24.05";
}