{ pkgs, lib, ... }:
{
  imports = [
    ./hardware-configuration.nix
    ./rspamd.nix
    ./goaccess.nix
    ./nextcloud.nix
    ./backup.nix
    ./users.nix
    ./kicker.nix
    ./mailserver.nix
    ./acme.nix
    ./forgejo.nix
    ./nginx.nix
    ./network.nix
  ];

  metacfg = {
    base.enable = true;
    nix.enable = true;
    podman.enable = true;
    secureboot.enable = false;
  };

  security = {
    tpm2.enable = lib.mkDefault true;
    tpm2.abrmd.enable = lib.mkDefault true;
  };

  system.autoUpgrade = {
    enable = true;
    dates = "04:00";
    operation = "switch";
    allowReboot = true;
    flake = lib.mkForce "git+file:///var/lib/gitea/repositories/harald/nixcfg.git#mx";
  };

  environment.systemPackages = with pkgs; [
    age
    apacheHttpd # for mkpasswd
    efibootmgr
    fgallery
    git
    htop
    mdadm
    rrsync
    tpm2-pkcs11
    tpm2-pkcs11.out
    tpm2-tools
    zola
  ];

  sops.age.sshKeyPaths = [ "/var/lib/secrets/ssh_host_ed25519_key" ];

  services.openssh = {
    enable = true;
    hostKeys = [
      {
        path = "/var/lib/secrets/ssh_host_ed25519_key";
        type = "ed25519";
      }
      {
        path = "/var/lib/secrets/ssh_host_rsa_key";
        type = "rsa";
        bits = 4096;
      }
    ];
  };

  system.stateVersion = "23.05";
}