{
  lib,
  ...
}:
{
  imports = [
    ./hardware-configuration.nix
    ./atticd.nix
  ];

  metacfg = {
    base.enable = true;
    nix.enable = true;
  };

  system.autoUpgrade = {
    enable = true;
    operation = "switch";
    allowReboot = true;
  };

  virtualisation = {
    docker.enable = true;
    podman.dockerCompat = false;
    libvirtd.enable = false;
  };

  # Legacy BIOS boot (Hetzner cloud instance)
  boot.loader.systemd-boot.enable = lib.mkForce false;
  boot.loader.efi.canTouchEfiVariables = lib.mkForce false;
  boot.loader.grub.enable = true;

  security.sudo.wheelNeedsPassword = false;

  security.tpm2.enable = false;
  security.tpm2.abrmd.enable = false;

  networking.wireless.enable = false;
  networking.useDHCP = false;
  networking.useNetworkd = true;
  systemd.network.networks."30-wan" = {
    matchConfig.Name = "enp1s0";
    networkConfig.DHCP = "ipv4";
    address = [ "2a01:4f9:c014:619::1/64" ];
    routes = [{ Gateway = "fe80::1"; }];
  };
  networking.firewall.allowedTCPPorts = [ 80 443 ];
  networking.firewall.allowPing = true;

  security.acme = {
    acceptTerms = true;
    defaults.email = "harald@hoyer.xyz";
  };

  services.nginx = {
    enable = true;
    recommendedProxySettings = true;
    recommendedTlsSettings = true;
    appendHttpConfig = ''
      proxy_cache_path /var/cache/nginx/attic
        levels=1:2
        keys_zone=attic:10m
        max_size=10g
        inactive=30d
        use_temp_path=off;
    '';
    virtualHosts."attic.teepot.org" = {
      forceSSL = true;
      enableACME = true;
      locations."/" = {
        proxyPass = "http://[::1]:8080";
        proxyWebsockets = true;
        extraConfig = ''
          client_max_body_size 0;
          proxy_cache attic;
          proxy_cache_valid 200 30d;
          proxy_cache_use_stale error timeout updating;
          proxy_cache_methods GET HEAD;
          proxy_cache_bypass $request_method;
        '';
      };
    };
  };

  powerManagement.cpuFreqGovernor = "ondemand";

  system.stateVersion = "25.11";
}