{ impermanence, pkgs, ... }:

let 

  ports = {
    ssh = [ 2322 2323 2324 ];
    gitea = 10010;
    headscale = 10020;
  };

in
{

  imports = [
    ./hardware.nix
    ../../modules/gitea
    ../../modules/headscale
    ../../users/christian
  ];

  services = {
    gitea.enable = true;
    nginx.enable = true;
    headscale.enable = true;
    openssh = {
      enable = true;
      ports = ports.ssh;
    };
  };

  programs.mosh.enable = true;

  users.mutableUsers = false;
  users.users = {
    christian = {
      isNormalUser = true;
      extraGroups = [ "wheel" ];
    };
  };

  networking.firewall = {
    enable = true;
    allowedTCPPorts = [ 80 443 ];
  };

  security = {
    sudo = {
      wheelNeedsPassword = false;
      extraConfig = ''
        Defaults lecture = never
      '';
    };
    acme = {
      acceptTerms = true;
      defaults.email = "cert@ctsk.xyz";
    };
  };

  nix.settings = {
    trusted-users = [ "@wheel" ];
    trusted-public-keys = [
      "labyrinth-1:GCR2h5k9WFvome2mrFRBtiWw7sAn+pYZwXRwAj9W0b0="
    ];
  };

  environment.systemPackages = with pkgs; [
    config-archive
  ];

  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;

  system.stateVersion = "23.05";
}