{
  config,
  lib,
  inputs,
  ...
}:
{
  imports = [
    ./hardware-configuration.nix
    ../../config/base.nix
  ];
  my = import ./toggles.nix { inherit config inputs; } // {
    secureHost = true;
    users.nixremote = {
      enable = true;
      authorizedKeys = inputs.self.lib.getSshKeys [
        "nixworkstation"
        "nixserver"
        "nixminiserver"
      ];
    };
  };
  image.modules.linode = { };
  networking.hostName = "vps";
  services.smartd.enable = lib.mkForce false;
  environment.systemPackages = [ ];
  networking.firewall =
    let
      externalInterface = config.my.interfaces.${config.networking.hostName};

      homeServer = config.my.ips.wg-server;
      wgSubnet = "${config.my.ips.wg-s}/24";
      wgFriendsSubnet = "${config.my.ips.wg-friends}/24";
      wgGuestsSubnet = "${config.my.ips.wg-gs}/24";
      wgFriend1 = config.my.ips.wg-friend1;
      wgFriend2 = config.my.ips.wg-friend2;
      wgFriend3 = config.my.ips.wg-friend3;
      wgFriend4 = config.my.ips.wg-friend4;

      giteaSshPort = toString 22;
      syncthingPort = toString 22000;
      synapseFederationPort = toString 8448;
      synapseClientPort = toString config.my.servers.synapse.port;
      syncplayPort = toString config.my.servers.syncplay.port;
      stashPort = toString config.my.servers.stash.port;
    in
    {
      enable = true;
      allowedTCPPorts = [
        80
        443
        3456
      ];
      allowedUDPPorts = [ 51820 ];
      extraForwardRules = ''
        ip saddr ${wgFriend1}/32 ip daddr ${homeServer}/32 tcp dport ${syncthingPort} accept
        ip saddr ${wgFriend2}/32 ip daddr ${homeServer}/32 tcp dport ${syncthingPort} accept
        ip saddr ${wgFriend3}/32 ip daddr ${homeServer}/32 tcp dport ${syncthingPort} accept
        ip saddr ${wgFriend4}/32 ip daddr ${homeServer}/32 tcp dport ${syncthingPort} accept
        ip saddr ${homeServer}/32 ip daddr ${wgFriend1}/32 tcp dport ${syncthingPort} accept
        ip saddr ${homeServer}/32 ip daddr ${wgFriend2}/32 tcp dport ${syncthingPort} accept
        ip saddr ${homeServer}/32 ip daddr ${wgFriend3}/32 tcp dport ${syncthingPort} accept
        ip saddr ${homeServer}/32 ip daddr ${wgFriend4}/32 tcp dport ${syncthingPort} accept

        ip saddr ${wgFriendsSubnet} ip daddr ${homeServer}/32 tcp dport { ${synapseClientPort}, ${synapseFederationPort}, ${syncplayPort} } accept

        ip saddr ${wgFriendsSubnet} ip daddr ${homeServer}/32 icmp type echo-request accept
        ip saddr ${homeServer}/32 ip daddr ${wgFriendsSubnet} icmp type echo-reply accept

        ip saddr ${wgGuestsSubnet} ip daddr ${homeServer}/32 tcp dport ${stashPort} accept
        ip saddr ${wgGuestsSubnet} ip daddr ${homeServer}/32 icmp type echo-request accept
        ip saddr ${homeServer}/32 ip daddr ${wgGuestsSubnet} icmp type echo-reply accept

        ip saddr ${wgFriendsSubnet} ip daddr ${wgSubnet} drop
        ip saddr ${wgSubnet} ip daddr ${wgFriendsSubnet} drop
        ip saddr ${wgGuestsSubnet} ip daddr ${wgSubnet} drop
        ip saddr ${wgSubnet} ip daddr ${wgGuestsSubnet} drop
        ip saddr ${wgGuestsSubnet} ip daddr ${wgFriendsSubnet} drop
        ip saddr ${wgFriendsSubnet} ip daddr ${wgGuestsSubnet} drop
      '';
      extraCommands = ''
        iptables -t nat -A PREROUTING -p tcp --dport ${giteaSshPort} -j DNAT --to-destination ${homeServer}:${giteaSshPort}
        iptables -t nat -A POSTROUTING -d ${homeServer}/32 -p tcp --dport ${giteaSshPort} -j MASQUERADE
        iptables -t nat -A POSTROUTING -s ${wgFriendsSubnet} -o ${externalInterface} -j MASQUERADE
        iptables -t nat -A POSTROUTING -s ${wgGuestsSubnet} -o ${externalInterface} -j MASQUERADE
      '';
      extraStopCommands = ''
        iptables -t nat -D PREROUTING -p tcp --dport ${giteaSshPort} -j DNAT --to-destination ${homeServer}:${giteaSshPort} || true
        iptables -t nat -D POSTROUTING -d ${homeServer}/32 -p tcp --dport ${giteaSshPort} -j MASQUERADE || true
        iptables -t nat -D POSTROUTING -s ${wgFriendsSubnet} -o ${externalInterface} -j MASQUERADE || true
        iptables -t nat -D POSTROUTING -s ${wgGuestsSubnet} -o ${externalInterface} -j MASQUERADE || true
      '';
    };
  security.sudo-rs.extraRules = [
    {
      users = [ "nixremote" ];
      commands = [
        {
          command = "/run/current-system/sw/bin/nixos-rebuild";
          options = [ "NOPASSWD" ];
        }
      ];
    }
  ];
  services.openssh.ports = [ 3456 ];
  sops.age = {
    generateKey = true;
    keyFile = "/var/lib/sops-nix/key.txt";
    sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
  };
  users = {
    groups = {
      deploy = { };
      lidarr-reports = { };
    };
    users = {
      deploy = {
        isSystemUser = true;
        group = "deploy";
        openssh.authorizedKeys.keyFiles = [ ../../secrets/ssh/ed25519_deploy.pub ];
      };
      lidarr-reports = {
        isSystemUser = true;
        group = "lidarr-reports";
        openssh.authorizedKeys.keyFiles = [ ../../secrets/ssh/ed25519_lidarr-reports.pub ];
      };
    };
  };
}