{ self, caddy-with-plugins, ... }:
{ pkgs, modulesPath, ... }:
{
  imports = [
    (modulesPath + "/virtualisation/lxc-container.nix")

    ../../users/root
    ../../users/erwin

    ./blocky
    ./coredns
    ./promtail
    # ./unbound
  ];

  eboskma = {
    users.erwin = {
      enable = true;
      server = true;
    };
    # adguard = {
    #   upstreams = [ "127.0.0.1:5335" ];
    # };
    caddy-proxy = {
      enable = true;
      package = caddy-with-plugins.packages.${pkgs.system}.caddy-with-cloudflare;
      proxyHosts = [
        {
          externalHostname = "blocky.datarift.nl";
          proxyAddress = "127.0.0.1:4000";
        }
      ];
    };
    nix-common = {
      enable = true;
      remote-builders = true;
    };
    tailscale.enable = true;
  };

  services.resolved.extraConfig = ''
    DNSStubListener=no
  '';

  time.timeZone = "Europe/Amsterdam";

  system.configurationRevision = self.inputs.nixpkgs.lib.mkIf (self ? rev) self.rev;

  networking = {
    hostName = "valkyrie";
    useDHCP = false;
    useHostResolvConf = false;
    networkmanager.enable = false;
    useNetworkd = true;
    nftables.enable = true;

    firewall = {
      trustedInterfaces = [ "tailscale0" ];
      allowedUDPPorts = [
        53
        67
      ];
    };
  };

  systemd.network = {
    enable = true;

    wait-online.anyInterface = true;

    networks = {
      "40-eth0" = {
        matchConfig = {
          Name = "eth0";
        };

        networkConfig = {
          Address = "10.0.0.206/24";
          Gateway = "10.0.0.1";
          DNS = "127.0.0.1";
          DHCP = "no";
        };
      };
    };
  };

  security = {
    sudo-rs = {
      enable = true;
      execWheelOnly = true;
      wheelNeedsPassword = false;
    };
    sudo.enable = false;
  };

  sops = {
    defaultSopsFile = ./secrets.yaml;
    secrets = {
      coredns-env = { };
      caddy-env = { };
    };
  };

  system.stateVersion = "23.11";
}