{
  pkgs,
  lib,
  config,
  ...
}:
{
  imports = [
    # ./goaccess.nix
    ./acme.nix
    ./backup.nix
    ./coturn.nix
    ./disk-check.nix
    ./forgejo.nix
    ./hardware-configuration.nix
    ./headscale.nix
    ./kicker.nix
    ./mailserver.nix
    ./network.nix
    ./nextcloud.nix
    ./nextcloud-claude-bot
    ./nginx.nix
    ./ntfy.nix
    ./postgresql.nix
    ./rspamd.nix
    ./rustdesk.nix
    ./users.nix
  ];

  services.tailscale.enable = true;

  metacfg = {
    services.nginxBase.enable = true;
    services.acmeBase.enable = true;
    emailOnFailure.enable = true;
    base.enable = true;
    nix.enable = true;
    podman.enable = true;
    secureboot.enable = false;
    tools = {
      direnv.enable = true;
    };
  };

  security = {
    tpm2.enable = lib.mkDefault true;
    tpm2.abrmd.enable = lib.mkDefault true;
  };

  system.autoUpgrade = {
    enable = true;
    dates = "04:00";
    operation = "switch";
    allowReboot = true;
    flake = lib.mkForce "/root/nixcfg/.#mx";
  };

  systemd.services.nixos-upgrade = {
    path = [ pkgs.git ];
    preStart = ''
      cd /root/nixcfg
      git fetch origin
      git reset --hard origin/HEAD
    '';
  };

  nix.gc = {
    dates = "daily";
    options = "--delete-older-than 7d";
  };

  programs.git.config = {
    safe.directory = "/var/lib/gitea/repositories/harald/nixcfg.git";
  };

  environment.systemPackages = with pkgs; [
    age
    apacheHttpd # for mkpasswd
    efibootmgr
    fgallery
    git
    htop
    mdadm
    rrsync
    tpm2-pkcs11
    tpm2-pkcs11.out
    tpm2-tools
    zola
  ];

  sops.secrets.ntfy = {
    sopsFile = ../../../.secrets/hetzner/ntfy.yaml;
  };

  sops.age.sshKeyPaths = [ "/var/lib/secrets/ssh_host_ed25519_key" ];

  services.openssh = {
    enable = true;
    hostKeys = [
      {
        path = "/var/lib/secrets/ssh_host_ed25519_key";
        type = "ed25519";
      }
      {
        path = "/var/lib/secrets/ssh_host_rsa_key";
        type = "rsa";
        bits = 4096;
      }
    ];
  };

  system.stateVersion = "23.05";
}