{
  self,
  lib,
  config,
  pkgs,
  ...
}:
let
  nixosVars = builtins.fromJSON (builtins.readFile ./nixos-vars.json);
in
{
  imports = [
    self.nixosModules.hcloud
  ];
  
  users.users.root = {
    openssh.authorizedKeys.keys = nixosVars.ssh_keys;
    initialPassword = "nixos";
  };
  
  system.stateVersion = "23.11";

  networking = {
    hostName = nixosVars.hostname;
    domain = nixosVars.domain_netname;

    firewall = {
      allowedUDPPorts = [3478];
      allowedTCPPorts = [80 443];
      checkReversePath = "loose";
    };
  };

  sops = {
    #secrets = {
    #  cloudflare-api-token = {};
    #};
    templates."caddy-env.conf".content = ''
      CLOUDFLARE_API_TOKEN=${config.sops.placeholder.cloudflare-api-token}
    '';
    defaultSopsFile = ./secrets/secrets.yaml;
    age = {
      keyFile = "/var/lib/secrets/age";
      generateKey = true;
    };
  };

  services = {
    openssh = {
      enable = true;
      settings = {
        PasswordAuthentication = false;
        AllowTcpForwarding = "yes";
        AllowAgentForwarding = "yes";
      };
    };

    cloud-init.enable = lib.mkForce false;

    headscale = {
      enable = true;
      address = "[::]";
      port = 8080;
      settings = {
        server_url = "https://${nixosVars.hostname}.${nixosVars.domain_netname}";
        logtail.enabled = false;
        dns = {
          base_domain = "ts.${nixosVars.domain_netname}";
          magic_dns = true;
          search_domains = ["${nixosVars.domain_netname}"];
          nameservers.global = [
            "9.9.9.9"
            "149.112.112.112"
            "2620:fe::fe"
            "2620:fe::9"
          ];
        };
        ip_prefixes = [
          "100.64.0.0/10"
          "fd7a:115c:a1e0::/48"
        ];
      };
    };

    tailscale = {
      enable = true;
    };

    caddy = {
      enable = true;
      package = pkgs.caddy.withPlugins {
        plugins = [ "github.com/caddy-dns/cloudflare@v0.0.0-20250214163716-188b4850c0f2" ];
        hash = "sha256-izuQXvxIq3ycxcUuMErz7MbP9RwLkj+bhliK9H6Heqc=";
      };
      globalConfig = ''    
        acme_dns cloudflare {env.CLOUDFLARE_API_TOKEN}
        cert_issuer acme {
          resolvers 1.1.1.1
        }
      '';
      virtualHosts = {
        "${nixosVars.hostname}.${nixosVars.domain_netname}".extraConfig = ''
          reverse_proxy localhost:8080
        '';
        "ts.${nixosVars.domain_netname}".extraConfig = ''
          respond "Access Denied" 403
        '';
        "*.ts.${nixosVars.domain_netname}".extraConfig = ''
          respond "Access Denied" 403
        '';
        "${nixosVars.domain_realname}".extraConfig = ''
          reverse_proxy http://docker
        '';
        "${nixosVars.domain_netname}".extraConfig = ''
          reverse_proxy http://docker
        '';
        "*.${nixosVars.domain_realname}".extraConfig = ''
          reverse_proxy http://docker
        '';
        "*.${nixosVars.domain_netname}".extraConfig = ''
          reverse_proxy http://docker
        '';
      };
    };
  };

  systemd = {
    services = {
      caddy = {
        unitConfig = {
          After = [ "sops-nix.service" ];
        };
        serviceConfig = {
          EnvironmentFile = lib.mkForce [config.sops.templates."caddy-env.conf".path];
        };
      };
    };
    network.networks."10-wan" = {
  	  matchConfig.MACAddress = "96:00:04:16:ed:c5";
      address = [
        "${nixosVars.ipv4_address}/32"
        "${nixosVars.ipv6_address}/64"
      ];
      routes = [
        { Gateway = "fe80::1"; }
        {
          Gateway = "172.31.1.1";
          GatewayOnLink = true;
        }
      ];
      linkConfig.RequiredForOnline = "routable";
    };
  };

  boot.supportedFilesystems = ["btrfs"];
  environment.systemPackages = [
    pkgs.btrfs-progs
    pkgs.shadow
    pkgs.vim
    pkgs.speedtest-cli
    pkgs.git
    pkgs.hcloud
    pkgs.dhcpcd
    pkgs.age
  ];

  boot.kernel.sysctl = {
    "net.ipv4.ip_forward" = 1;
    "net.ipv6.conf.all.forwarding" = 1;
  };
}