{
  modulesPath,
  lib,
  pkgs,
  config,
  pubkeys,
  ...
}:
let
  inherit (lib.my) mkVHost;
in
{
  imports = [
    (modulesPath + "/profiles/qemu-guest.nix")
    ./disk-config.nix
    ./container-root.nix
    ./rustypaste
    ./forgejo
    ./headscale.nix
  ];

  age.secrets = {
    couchdb.file = ../../secrets/couchdb.age;
    rustypaste.file = ../../secrets/rustypaste.age;
  };

  boot.loader.grub = {
    efiSupport = true;
    efiInstallAsRemovable = true;
  };

  modules.services.tailscale = {
    enable = true;
    tags = [ "server" ];
    extraFlags = [ "--accept-dns=false" ]; # Want to disable that since *server* can't access the private dns... for now
  };

  services.headscale.enable = true;

  networking.firewall = lib.mkForce {
    enable = true;
    allowedTCPPorts = [
      80 # for acme challenges
      443
    ] ++ [ config.services.endlessh.port ];
  };

  age.identityPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];

  security.acme.defaults.email = "admin@ccnlc.eu";
  security.acme.acceptTerms = true;

  services.nginx = {
    enable = true;
    recommendedProxySettings = true;
    recommendedTlsSettings = true;
    clientMaxBodySize = "50M";
    virtualHosts = builtins.listToAttrs [
      (mkVHost "rusty.ccnlc.eu" 8000 true)
      (mkVHost "git.ccnlc.eu" 3000 true)
    ];
  };

  services.endlessh = {
    enable = true;
    port = 22;
  };

  environment.systemPackages = map lib.lowPrio [
    pkgs.curl
    pkgs.gitMinimal
  ];

  system.stateVersion = "24.11";
}