{
  pkgs,
  pkgs-unstable,
  config,
  ...
}:
{
  imports = [
    ./hardware-configuration.nix
    ./backups.nix
  ];
  sops = {
    secrets = {
      "env" = {
        sopsFile = ../../secrets/cf-acme.yaml;
      };
    };
  };
  environment.systemPackages = with pkgs; [
    git
    vim
    docker-compose
    tmux
  ];
  machine.net.openssh.ports = [ 2022 ];
  systemd.services.k3s = {
    preStart = ''
      until ${pkgs.tailscale}/bin/tailscale status; do
        sleep 1
      done
    '';
  };
  services = {
    zfs.autoScrub.enable = true;
    zfs.autoSnapshot.enable = true;
    fstrim.enable = true;
    nfs.server = {
      enable = true;
      exports = ''
        /rice 192.168.1.0/24(rw,fsid=0,no_subtree_check) 100.87.58.70(rw,fsid=0,no_subtree_check)
      '';
    };
    k3s = {
      enable = true;
      role = "server";
      extraFlags = toString [
        "--disable=traefik"
        "--flannel-iface=tailscale0"
      ];
    };
    # immich = {
    #   enable = false;
    #   package = pkgs-unstable.immich;
    #   port = 2283;
    #   host = "localhost";
    #   openFirewall = true;
    #   machine-learning.enable = true;
    #   mediaLocation = "/rice/immich";
    #   accelerationDevices = null;
    # };
    nginx = {
      enable = true;
      virtualHosts."img.10110110.xyz" = {
        forceSSL = true;
        useACMEHost = "10110110.xyz";
        locations."/" = {
          proxyPass = "http://localhost:${toString config.services.immich.port}";
          proxyWebsockets = true;
          recommendedProxySettings = true;
          extraConfig = ''
            client_max_body_size 50000M;
            proxy_read_timeout   600s;
            proxy_send_timeout   600s;
            send_timeout         600s;
          '';
        };
      };
    };
  };
  boot = {
    kernel.sysctl = {
      "vm.swappiness" = 6;
    };
  };
  networking = {
    hostId = "91238132";
    firewall = {
      allowedTCPPorts = [
        22
        80
        443
        2022
        2049 # nfs
        8080 # unifi
        8443 # unifi
        10001
        10250
        6443 # k8s
        25565 # mc
        25566 # mc
        9001 # eth
        30303 # eth
      ];
      allowedUDPPorts = [
        9001
        30303
      ];
    };
  };
  machine.sys = {
    zram = false;
    swapSize = 16;
  };
  virtualisation.docker = {
    enable = true;
    extraOptions = "--dns 1.1.1.1";
  };

  # users.users = {
  #   immich.extraGroups = [
  #     "video"
  #     "render"
  #   ];
  # };
  security.acme = {
    acceptTerms = true;
    defaults.email = "acme@10110110.xyz";
    certs = {
      "10110110.xyz" = {
        domain = "*.10110110.xyz";
        group = config.services.nginx.group;
        dnsProvider = "cloudflare";
        environmentFile = config.sops.secrets."env".path;
      };
    };
  };
  hardware.graphics = {
    enable = true;
    extraPackages = with pkgs; [
      intel-media-driver # For Broadwell (2014) or newer processors. LIBVA_DRIVER_NAME=iHD
    ];
  };
  system.stateVersion = "23.11";
}