{ pkgs, lib, ... }:
{
  imports = [
    # ./goaccess.nix
    ./acme.nix
    ./backup.nix
    ./coturn.nix
    ./forgejo.nix
    ./hardware-configuration.nix
    ./kicker.nix
    ./mailserver.nix
    ./network.nix
    ./nextcloud.nix
    ./nginx.nix
    ./postgresql.nix
    ./rspamd.nix
    # ./rustdesk.nix
    ./users.nix
  ];

  metacfg = {
    base.enable = true;
    nix.enable = true;
    podman.enable = true;
    secureboot.enable = false;
    tools = {
      direnv.enable = true;
    };
  };

  security = {
    tpm2.enable = lib.mkDefault true;
    tpm2.abrmd.enable = lib.mkDefault true;
  };

  system.autoUpgrade = {
    enable = true;
    dates = "04:00";
    operation = "switch";
    allowReboot = true;
    #    flake = lib.mkForce "git+file:///var/lib/gitea/repositories/harald/nixcfg.git#mx";
    flake = lib.mkForce "/root/nixcfg/.#mx";
  };

  systemd.services.nixos-upgrade = {
    path = [ pkgs.git ];
    preStart = ''
      cd /root/nixcfg
      git fetch origin
      git reset --hard origin/HEAD
    '';
  };

  nix.gc = {
    dates = "daily";
    options = "--delete-older-than 7d";
  };

  programs.git.config = {
    safe.directory = "/var/lib/gitea/repositories/harald/nixcfg.git";
  };

  environment.systemPackages = with pkgs; [
    age
    apacheHttpd # for mkpasswd
    efibootmgr
    fgallery
    git
    htop
    mdadm
    rrsync
    tpm2-pkcs11
    tpm2-pkcs11.out
    tpm2-tools
    zola
  ];

  sops.age.sshKeyPaths = [ "/var/lib/secrets/ssh_host_ed25519_key" ];

  services.openssh = {
    enable = true;
    hostKeys = [
      {
        path = "/var/lib/secrets/ssh_host_ed25519_key";
        type = "ed25519";
      }
      {
        path = "/var/lib/secrets/ssh_host_rsa_key";
        type = "rsa";
        bits = 4096;
      }
    ];
  };

  systemd.services = {
    check_boot = {
      serviceConfig = {
        Type = "oneshot";
        Environment = "PATH=/run/current-system/sw/bin";
        ExecStart = toString (
          pkgs.writeShellScript "check_boot.sh" ''
            CURRENT=$(df /boot | grep /boot | awk '{ print $5}' | sed 's/%//g')
            THRESHOLD=85

            if [ "$CURRENT" -gt "$THRESHOLD" ] ; then
                ${pkgs.mailutils}/bin/mail -s '/boot Disk Space Alert' harald << EOF
            Your /boot partition remaining free space is critically low. Used: $CURRENT%
            EOF
            fi
          ''
        );
      };
      wantedBy = [ "default.target" ];
    };
  };

  systemd.timers = {
    check_boot = {
      timerConfig = {
        OnCalendar = "daily";
      };
      wantedBy = [ "timers.target" ];
    };
  };

  systemd.services = {
    check_root = {
      serviceConfig = {
        Type = "oneshot";
        Environment = "PATH=/run/current-system/sw/bin";
        ExecStart = toString (
          pkgs.writeShellScript "check_root.sh" ''
            CURRENT=$(df / | grep / | awk '{ print $5}' | sed 's/%//g')
            THRESHOLD=85

            if [ "$CURRENT" -gt "$THRESHOLD" ] ; then
                ${pkgs.mailutils}/bin/mail -s '/boot Disk Space Alert' harald << EOF
            Your root partition remaining free space is critically low. Used: $CURRENT%
            EOF
            fi
          ''
        );
      };
      wantedBy = [ "default.target" ];
    };
  };

  systemd.timers = {
    check_root = {
      timerConfig = {
        OnCalendar = "daily";
      };
      wantedBy = [ "timers.target" ];
    };
  };

  system.stateVersion = "23.05";
}