{
  modulesPath,
  lib,
  pkgs,
  pubkeys,
  ...
}:
{
  imports = [
    (modulesPath + "/profiles/qemu-guest.nix")
    ./disk-config.nix
    ./adguard.nix
  ];

  age.secrets = {
    navidrome.file = ../../secrets/navidrome.age;
    adguard-dns-list = {
      file = ../../secrets/adguard-dns-list.age;
      mode = "444";
    };
  };

  boot.loader.grub = {
    efiSupport = true;
    efiInstallAsRemovable = true;
  };

  modules = {
    container = {
      kitchenowl = {
        enable = true;
        openFirewall = true;
        version = "v0.5.2";
      };
      nginxproxymanager = {
        enable = true;
      };
    };

    server = {
      paperless = {
        enable = true;
        openPort = true;
        settings = {
          PAPERLESS_URL = "https://paperless.ccnlc.eu";
        };
      };

      navidrome = {
        enable = true;
        library = {
          path = "/mnt/music";
          type = "nfs";
          source = {
            ip = "192.168.178.21";
            path = "/mnt/Fort/data/music";
          };
        };
        settings = {
          Address = "0.0.0.0";
          Port = 4533;
        };
      };
    };

    services.tailscale = {
      enable = true;
      isExitNode = true;
      tags = [ "server" ];
    };

    services.rsyncd = {
      enable = true;
      port = 9523;
      settings = {
        globalSection = {
          address = "100.64.0.4";
        };
        sections = {
          backup = {
            path = "/var/backups/test";
            comment = "ftp export area";
            "write only" = true;
            "read only" = false;
          };
        };
      };
    };
  };

  services = {
    openssh.enable = true;

    immich = {
      enable = true;
      openFirewall = true;
      host = "0.0.0.0";
    };

  };

  networking.firewall.allowedTCPPorts = [ 9523 ];

  environment.systemPackages = map lib.lowPrio [
    pkgs.curl
  ];

  users.users.root.openssh.authorizedKeys.keys = [ pubkeys.ny ];

  system.stateVersion = "23.11";
}