{
  config,
  lib,
  inputs,
  ...
}: let
  sshKeys = import ../../crypto/ssh-keys.nix;
in {
  imports = [
    ./hardware-configuration.nix
    ../../common/base.nix

    ./services/tasiaiso.nix

    ./services/forgejo.nix
    ./services/grafana.nix
    ./services/wallabag.nix
    ./services/nextcloud.nix
    ./services/vaultwarden.nix
    ./services/linkding.nix
    ./services/uptime-kuma.nix
    # ./thymis.nix
  ];

  networking = {
    hostName = "vulpecula";

    firewall = {
      allowedTCPPorts = [
        80
        443
        # 22
      ];
      allowedUDPPorts = [
        # 8080 # ?
      ];
    };
  };

  # Disable systemd-boot, use grub instead
  boot = {
    loader.systemd-boot.enable = lib.mkForce false;
    initrd = {
      enable = lib.mkForce true;
      systemd.enable = lib.mkForce false;
    };
  };

  boot.loader.grub.device = "/dev/sda";

  users.users.tasia = {
    isNormalUser = true;
    description = "Tasia";
    extraGroups = ["networkmanager" "wheel" "dialout"];
    initialPassword = "correcthorsebatterystaple";
    openssh.authorizedKeys.keys = [
      sshKeys.tasia.cave
    ];
  };

  services.nginx = {
    enable = true;
    recommendedProxySettings = true;
    recommendedTlsSettings = true;
    # virtualHosts."84.247.186.214" = {
    #   addSSL = true;
    #   enableACME = true;
    #   root = inputs.vulpecula-zone.packages.x86_64-linux.default;
    # };
    virtualHosts."vulpecula.zone" = {
      addSSL = true;
      enableACME = true;
      default = true;
      root = inputs.vulpecula-zone.packages.x86_64-linux.default;
    };
  };

  virtualisation.docker.enable = true;

  # change when ppl can make their own website
  security.acme = {
    acceptTerms = true;
    defaults.email = "tasiaiso@proton.me";
  };

  boot.tmp.cleanOnBoot = true;
  networking.domain = "vulpecula.zone";
  # users.users.root.openssh.authorizedKeys.keys = [''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILLyDLtqUhEQwIsPx0XgQ9OJb2+XxL+2ra4goNJEgwf0 tasia@cave'' ];
  system.stateVersion = "24.05";
}