{
  config,
  lib,
  modulesPath,
  pkgs,
  ...
}:
{
  imports = [
    (modulesPath + "/installer/scan/not-detected.nix")
    (modulesPath + "/profiles/qemu-guest.nix")
  ];

  boot = {
    loader.grub = {
      devices = [ "/dev/sda" ];
      efiSupport = true;
      efiInstallAsRemovable = true;
    };

    initrd.kernelModules = [ "virtio_gpu" ];

    kernelParams = [ "console=tty" ];
  };

  time.timeZone = lib.mkDefault "Europe/Berlin";

  networking = {
    useNetworkd = true;
  };

  systemd.network = {
    enable = true;

    networks = {
      "30-wan" = {
        matchConfig.Name = "enp1s0";
        networkConfig.DHCP = "ipv4";
        routes = [
          { Gateway = "fe80::1"; }
        ];
      };
    };
  };

  services.openssh = {
    enable = true;
    settings.PasswordAuthentication = false;
    extraConfig = ''
      PrintLastLog no
    '';
  };

  environment.etc = {
    "fail2ban/filter.d/nginx-bruteforce.conf".text = ''
      [Definition]
      failregex = ^<HOST>.*GET.*(matrix/server|\.php|admin|wp\-).* HTTP/\d.\d\" 404.*$
    '';

    "fail2ban/filter.d/postfix-bruteforce.conf".text = ''
      [Definition]
      failregex = warning: [\w\.\-]+\[<HOST>\]: SASL LOGIN authentication failed.*$
      journalmatch = _SYSTEMD_UNIT=postfix.service
    '';
  };

  services.fail2ban = {
    enable = true;

    ignoreIP = [
      "100.64.0.0/24" # tailnet
    ];

    maxretry = 3;
    bantime = "2h";

    extraPackages = [ pkgs.ipset ];
    banaction = "iptables-ipset-proto6-allports";
  };

  sops.secrets.tailscale-authkey = {
    owner = "root";
    group = "root";
    sopsFile = ./common.yaml;
  };

  services.tailscale = {
    enable = true;
    openFirewall = false;
    extraUpFlags = [
      "--login-server=https://headscale.escapeangle.com"
    ];
    authKeyFile = config.sops.secrets.tailscale-authkey.path;
  };

  programs.zsh.enable = true;
  environment.pathsToLink = [ "/share/zsh" ];
  environment.shells = [ pkgs.zsh ];
  environment.enableAllTerminfo = true;

  users.users.lander = {
    isNormalUser = true;
    shell = pkgs.zsh;
    extraGroups = [
      "wheel"
    ];
    openssh.authorizedKeys.keys = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPnthKtz0fE4yQ/X10cJgKVCjYCNkRNoqV28xAhD7h2M cardno:22_498_026"
    ];
  };

  users.users.root.openssh.authorizedKeys.keys = [
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPnthKtz0fE4yQ/X10cJgKVCjYCNkRNoqV28xAhD7h2M cardno:22_498_026"
  ];

  security.acme.defaults.email = "landervandenbulcke@gmail.com";
  security.acme.acceptTerms = true;

  nix = {
    settings = {
      trusted-users = [ "lander" ];
      accept-flake-config = true;
      auto-optimise-store = true;
    };

    package = pkgs.nixVersions.stable;
    extraOptions = ''experimental-features = nix-command flakes'';

    gc = {
      automatic = true;
      options = "--delete-older-than 7d";
    };
  };
}