{
	config,
	hostname,
	user,
	...
}: {
	imports = [
		../../modules/nixos
	];

	services.adguardhome = {
		enable = true;
		port = 10000;
		settings = {
			dns = {
				upstream_dns = [
					"1.1.1.1"
					"1.0.0.1"
				];
			};
			filtering = {
				protection_enabled = true;
				filtering_enabled = true;
				safe_search = {
					enabled = false;
				};
			};
		};
	};

	virtualisation.docker = {
		enable = true;
	};

	services.openssh = {
		enable = true;
		settings = {
			PermitRootLogin = "prohibit-password";
			PasswordAuthentication = false;
		};
	};

	fileSystems."/" = {
		device = "/dev/disk/by-label/NIXROOT";
		fsType = "ext4";
	};

	fileSystems."/boot" = {
		device = "/dev/disk/by-label/NIXBOOT";
		fsType = "vfat";
	};

	networking = {
		hostName = hostname;
		useDHCP = false;
		interfaces.eno1.ipv4.addresses = [
			{
				address = "192.168.1.10";
				prefixLength = 24;
			}
		];
		defaultGateway = "192.168.1.1";
		nameservers = ["1.1.1.1"];
		firewall = {
			enable = true;
			trustedInterfaces = ["eno1" "tailscale0"];
			allowedUDPPorts = [config.services.tailscale.port];
			allowedTCPPorts = [22 5555];
			checkReversePath = "loose";
		};
	};

	sops.secrets = {
		tahani-syncthing-cert = {
			sopsFile = ../../secrets/tahani-syncthing-cert;
			format = "binary";
			owner = user;
			path = "/home/${user}/.config/syncthing/cert.pem";
		};
		tahani-syncthing-key = {
			sopsFile = ../../secrets/tahani-syncthing-key;
			format = "binary";
			owner = user;
			path = "/home/${user}/.config/syncthing/key.pem";
		};
	};

	services.syncthing.settings.folders = {
		"Projects/Personal" = {
			path = "/home/${user}/Projects/Personal";
			devices = ["tahani" "jason"];
		};
		"Projects/Work" = {
			path = "/home/${user}/Projects/Work";
			devices = ["tahani" "chidi"];
		};
	};

	services.gitea = {
		enable = true;
		settings = {
			server = {
				ROOT_URL = "https://gitea.manticore-hippocampus.ts.net/";
				DOMAIN = "gitea.manticore-hippocampus.ts.net";
				HTTP_ADDR = "127.0.0.1";
				HTTP_PORT = 8380;
			};
		};
	};

	services.caddy = {
		enable = true;
		virtualHosts."tahani.manticore-hippocampus.ts.net".extraConfig = ''
			respond "OK"
		'';
		virtualHosts."gitea.manticore-hippocampus.ts.net".extraConfig = ''
			reverse_proxy localhost:8380
		'';
	};

	# Allow Caddy to fetch Tailscale HTTPS certs
	services.tailscale.permitCertUid = "caddy";

	home-manager.users.${user} = {
		programs.git.settings.user.email = "christoph@schmatzler.com";
	};
}