{
  pkgs,
  config,
  lib,
  inputs,
  ...
}:
{
  imports = [
    inputs.lidarr-mb-gap.nixosModules.lidarr-mb-gap
    ./hardware-configuration.nix
    ../../config/base.nix
    ../../config/stylix.nix
  ];
  my = import ./toggles.nix { inherit config inputs; } // {
    nix.cores = 6;
    users.nixremote.enable = true;
    users.nixremote.authorizedKeys = inputs.self.lib.getSshKeys [
      "nixworkstation"
      "nixminiserver"
    ];
    network.firewall.enabledServicePorts = true;
    network.firewall.additionalPorts = [
      2049 # idk
      8384 # syncthing gui
      22000 # syncthing relay
      3452 # sonarqube
      8448 # synapse ssl
      8265 # tdarr
    ];
  };
  nix.buildMachines = [
    {
      hostName = "workstation";
      system = "x86_64-linux";
      sshUser = "nixremote";
      maxJobs = 8;
      speedFactor = 2;
      supportedFeatures = config.my.nix.features;
    }
  ];
  sops.secrets = {
    "vps/home/private" = lib.mkIf config.my.secureHost {
      sopsFile = ../../secrets/wireguard.yaml;
    };
    lidarr-mb-gap = lib.mkIf config.my.secureHost {
      sopsFile = ../../secrets/env.yaml;
    };
    "private_keys/lidarr-mb-gap" =
      lib.mkIf (config.my.secureHost && config.services.lidarr-mb-gap.enable)
        {
          sopsFile = ../../secrets/keys.yaml;
          owner = config.users.users.lidarr-mb-gap.name;
          inherit (config.users.users.lidarr-mb-gap) group;
          path = "${config.users.users.lidarr-mb-gap.home}/.ssh/ed25519_lidarr-mb-gap";
        };
  };
  networking = {
    hostName = "server";
    firewall = {
      allowedUDPPorts = config.networking.firewall.allowedTCPPorts;
      interfaces.wg0.allowedTCPPorts = [ 8081 ];
    };
    wireguard.interfaces.wg0 = lib.mkIf config.my.secureHost {
      ips = [ "${config.my.ips.wg-server}/32" ];
      privateKeyFile = config.sops.secrets."vps/home/private".path;
      peers = [
        {
          publicKey = "dFbiSekBwnZomarcS31o5+w6imHjMPNCipkfc2fZ3GY=";
          endpoint = "${config.my.ips.vps}:51820";
          allowedIPs = [
            "${config.my.ips.wg-vps}/32"
            "${config.my.ips.wg-friends}/24" # all friends
          ];
          persistentKeepalive = 25;
        }
      ];
    };
  };
  users.users.jawz.packages = builtins.attrValues {
    inherit (pkgs) podman-compose attic-client;
  };
  services = {
    btrfs.autoScrub = {
      enable = true;
      fileSystems = [
        "/"
        "/srv/pool"
      ];
    };
    lidarr-mb-gap = {
      enable = true;
      package = inputs.lidarr-mb-gap.packages.${pkgs.stdenv.hostPlatform.system}.lidarr-mb-gap;
      home = "/var/lib/lidarr-mb-gap";
      envFile = config.sops.secrets.lidarr-mb-gap.path;
      runInterval = "weekly";
      syncToVPS = true;
      vpsPort = 3456;
      vpsHost = "lidarr-reports@${config.my.ips.vps}";
      vpsPath = "/var/www/html/lidarr-mb-gap";
      sshKeyFile = config.sops.secrets."private_keys/lidarr-mb-gap".path;
      sshKnownHosts = {
        vps = {
          hostNames = [ config.my.ips.vps ];
          publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMvtTURGBtAFXxxfzMJVoNJrtWLykOloJ5XYjxGh1OUx";
        };
      };
    };
  };
}