{ impermanence, pkgs, ... }:

let 

  ports = {
    ssh = [ 2322 2323 2324 ];
    gitea = 10010;
    headscale = 10020;
    wg0 = 51820;
  };

  pubkeys = {
    labyrinth = {
      wg = "fGP6Iebdk31dDtreRmvrur+9IzRL56v3N/sw1ILGPSk=";
      nix = "labyrinth-1:GCR2h5k9WFvome2mrFRBtiWw7sAn+pYZwXRwAj9W0b0=";
    };
  };

in
{

  imports = [
    ./hardware.nix
    ../../modules/gitea
    ../../modules/headscale
    ../../users/christian
  ];

  services = {
    gitea.enable = true;
    nginx.enable = true;
    headscale.enable = true;
    openssh = {
      enable = true;
      ports = ports.ssh;
    };
  };

  programs.mosh.enable = true;

  users.mutableUsers = false;
  users.users = {
    christian = {
      isNormalUser = true;
      extraGroups = [ "wheel" ];
    };
  };

  networking.firewall = {
    enable = true;
    allowedTCPPorts = [ 80 443 ];
    allowedUDPPorts = [ ports.wg0 ];
  };

  networking.wireguard.enable = true;
  networking.wireguard.interfaces = {
    wg0 = {
      ips = ["10.11.12.1/24" ];
      listenPort = ports.wg0;
      privateKeyFile = "/srv/wireguard/wg0.private";
      generatePrivateKeyFile = true;

      peers = [{
        publicKey = pubkeys.labyrinth.wg;
        allowedIPs = [ "10.11.12.2/32" ];
      }];
    };
  };

  security = {
    sudo = {
      wheelNeedsPassword = false;
      extraConfig = ''
        Defaults lecture = never
      '';
    };
    acme = {
      acceptTerms = true;
      defaults.email = "cert@ctsk.xyz";
    };
  };

  nix.settings = {
    trusted-users = [ "@wheel" ];
    trusted-public-keys = [ pubkeys.labyrinth.nix ];
  };

  environment.systemPackages = with pkgs; [
    config-archive
  ];

  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;

  system.stateVersion = "23.05";
}