{
  inputs,
  config,
  pkgs,
  ...
}:

let
  # mkdir /etc/secrets/initrd -p
  # chmod 700 -R /etc/secrets/
  # ssh-keygen -t ed25519 -N "" -f /etc/secrets/initrd/ssh_host_ed25519_key
  hostKeys = [
    {
      path = "/etc/secrets/initrd/ssh_host_ed25519_key";
      type = "ed25519";
    }
  ];
in
{
  imports = [
    ./disk-config.nix
    ../../hardware/base.nix
    ../../desktop/x11.nix
    ../../system/server.nix
    ../../virtualisation/containers.nix
    ../../virtualisation/podman.nix
    ../../modules/inadyn.nix
    ../../services/adguardhome.nix
    ../../modules/systemdNotify.nix
    ../../services/postgres
    ../../services/mail.nix
    ../../services/lldap.nix
    ../../services/authelia.nix
    ../../services/forgejo
    ../../services/restic/home-server.nix
    ../../services/samba/home-server.nix
    # ../../services/kodi.nix
    ../../services/jellyfin.nix
    ../../services/etebase.nix
    ../../services/website.nix
    ../../services/wkd.nix
    ../../services/home-assistant
    ../../services/matrix
    ../../services/miniflux.nix
    ../../services/paperless.nix
    ../../services/nextcloud.nix
    ../../services/collabora-office.nix
    ../../services/calibre-web.nix
  ];

  age.secrets.cloudflare.file = ../../secrets/cloudflare.age;
  age.secrets.hostKey.file = ../../secrets/home-server/hostKey.age;

  networking.domain = "home.felschr.com";

  networking.firewall.allowedTCPPorts = [
    80
    443
  ];
  networking.firewall.allowedUDPPorts = [
    80
    443
  ];

  security.acme.acceptTerms = true;
  security.acme.defaults.email = "dev@felschr.com";

  services.inadyn.enable = true;
  services.inadyn.provider = "cloudflare.com";
  services.inadyn.username = "felschr.com";
  services.inadyn.passwordFile = config.age.secrets.cloudflare.path;
  services.inadyn.extraConfig = ''
    proxied = false
  '';
  services.inadyn.ipv4.enable = true;
  services.inadyn.ipv4.command = "${pkgs.writeScript "get-ipv4" ''
    eth=$(ls /sys/class/net | grep -E '^(enp|eth)' | head -1)
    ${pkgs.curl}/bin/curl -4 --interface "$eth" ip.me
  ''}";
  services.inadyn.ipv6.enable = true;
  services.inadyn.ipv6.command = "${pkgs.writeScript "get-ipv6" ''
    eth=$(ls /sys/class/net | grep -E '^(enp|eth)' | head -1)
    ${pkgs.iproute2}/bin/ip -6 addr show dev "$eth" scope global to '2000::/3' \
      | grep -o '[0-9a-f:]*::102'
  ''}";
  services.inadyn.domains = [
    "felschr.com"
    "dns.felschr.com"
    "openpgpkey.felschr.com"
    "ldap.felschr.com"
    "auth.felschr.com"
    "git.felschr.com"
    "home.felschr.com"
    "esphome.felschr.com"
    "matrix.felschr.com"
    "element.felschr.com"
    "cloud.felschr.com"
    "office.felschr.com"
    "media.felschr.com"
    "photos.felschr.com"
    "books.felschr.com"
    "news.felschr.com"
    "etebase.felschr.com"
    "paperless.felschr.com"
  ];

  services.nginx = {
    enable = true;
    recommendedTlsSettings = true;
    recommendedOptimisation = true;
    recommendedProxySettings = true;
    recommendedZstdSettings = true;
    recommendedGzipSettings = true;
    recommendedBrotliSettings = true;
  };

  programs.zsh.enable = true;

  programs.ssh.enableAskPassword = false;

  services.openssh = {
    enable = true;
    settings = {
      KbdInteractiveAuthentication = false;
      PasswordAuthentication = false;
      PermitRootLogin = "no";
    };
    inherit hostKeys;
  };

  services.tailscale.useRoutingFeatures = "both";
  services.tailscale.extraUpFlags = [
    # "--accept-routes" # breaks incoming connections from outside Tailnet
    "--advertise-tags=tag:felschr-com"
    "--advertise-connector"
  ];

  # ssh root@hostname "echo "$(read -s pass; echo \'"$pass"\')" > /crypt-ramfs/passphrase"
  boot.initrd.availableKernelModules = [ "igb" ];
  boot.initrd.network = {
    enable = true;
    udhcpc.enable = !config.boot.initrd.systemd.enable;
    ssh = {
      enable = true;
      hostKeys = map (f: f.path) hostKeys;
      authorizedKeys = config.users.users.felschr.openssh.authorizedKeys.keys;
    };
  };
  boot.initrd.systemd.network.networks."10-lan" = config.systemd.network.networks."10-lan";
  boot.initrd.systemd.users.root.shell = "/bin/systemd-tty-ask-password-agent";
  # allow automated decryption
  # `echo -n '<LUKS passphrase here>' | clevis encrypt tang '{"url": "http://doctr.local:9090"}' > home-server-enc.jwe`
  boot.initrd.clevis.enable = true;
  boot.initrd.clevis.useTang = true;
  boot.initrd.clevis.devices."enc".secretFile = ../../secrets/clevis/home-server-enc.jwe;

  systemd.notify = {
    enable = true;
    method = "email";
    email.mailTo = "admin@felschr.com";
    email.mailFrom = "${config.networking.hostName} <${config.programs.msmtp.accounts.default.from}>";
  };

  # only change this when specified in release notes
  system.stateVersion = "24.11";

  system.autoUpgrade.allowReboot = true;
  system.autoUpgrade.rebootWindow = {
    lower = "03:00";
    upper = "05:00";
  };
}