{
  host,
  config,
  pkgs,
  pkgs-unstable,
  ...
}:
{
  imports = [
    ./hardware-configuration.nix
  ];
  boot = {
    kernel.sysctl = {
      "vm.swappiness" = 6;
    };
  };
  sops = {
    secrets = {
      "password".sopsFile = ../../secrets/k8s.yaml;
      forgejo-runner.sopsFile = ../../secrets/forgejo-runner.yaml;
      "b2-immich/env".sopsFile = ../../secrets/restic.yaml;
      "b2-immich/repo".sopsFile = ../../secrets/restic.yaml;
      "b2-immich/password".sopsFile = ../../secrets/restic.yaml;
      "cf-dns-key".sopsFile = ../../secrets/cf-acme.yaml;
    };
  };
  services.restic.backups = {
    b2-immich = {
      initialize = true;
      environmentFile = config.sops.secrets."b2-immich/env".path;
      repositoryFile = config.sops.secrets."b2-immich/repo".path;
      passwordFile = config.sops.secrets."b2-immich/password".path;

      paths = [
        "/tank/immich"
      ];
      timerConfig = {
        OnCalendar = "06:00";
      };
      pruneOpts = [
        "--keep-daily 31"
        "--keep-monthly 6"
        "--keep-yearly 1"
      ];
    };
  };
  networking = {
    hostId = "44238132";
    firewall = {
      allowedTCPPorts = [
        22
        2049 # nfs
      ];
      interfaces."podman+" = {
        allowedTCPPorts = [ 33393 ];
      };
    };
  };
  services = {
    zfs.autoScrub.enable = true;
    zfs.autoSnapshot.enable = true;
    fstrim.enable = true;
    nfs.server.enable = true;
    immich = {
      enable = true;
      package = pkgs-unstable.immich;
      port = 2283;
      host = "localhost";
      openFirewall = true;
      machine-learning.enable = true;
      mediaLocation = "/tank/immich";
      accelerationDevices = null;
    };
    nginx = {
      enable = true;
      virtualHosts."img.10110110.xyz" = {
        forceSSL = true;
        useACMEHost = "10110110.xyz";
        locations."/" = {
          proxyPass = "http://localhost:${toString config.services.immich.port}";
          proxyWebsockets = true;
          recommendedProxySettings = true;
          extraConfig = ''
            client_max_body_size 50000M;
            proxy_read_timeout   600s;
            proxy_send_timeout   600s;
            send_timeout         600s;
          '';
        };
      };
    };
  };
  services.gitea-actions-runner = {
    package = pkgs.forgejo-runner;
    instances.default = {
      enable = true;
      name = host.hostName;
      settings = {
        runner.capacity = 3;
        container = {
          force_pull = true;
          valid_volumes = [ "/nix/store" ];
        };
      };
      url = "https://git.10110110.xyz";
      tokenFile = config.sops.secrets.forgejo-runner.path;
      labels = [
        "ubuntu-latest:docker://node:24-bullseye"
        "nix-upstream-latest:docker://nixos/nix:latest"
        "nix-latest:docker://git.10110110.xyz/ci/nix"
      ];
    };
  };
  # services.k3s = {
  #   enable = true;
  #   role = "agent";
  #   extraFlags = toString [
  #     "--flannel-iface=tailscale0"
  #   ];
  #   tokenFile = config.sops.secrets."password".path;
  #   serverAddr = "https://consensus:6443";
  # };
  # systemd.services.k3s = {
  #   preStart = ''
  #     until ${pkgs.tailscale}/bin/tailscale status; do
  #       sleep 1
  #     done
  #   '';
  # };

  security.acme = {
    acceptTerms = true;
    defaults.email = "acme@10110110.xyz";
    certs = {
      "10110110.xyz" = {
        domain = "*.10110110.xyz";
        group = config.services.nginx.group;
        dnsProvider = "cloudflare";
        environmentFile = config.sops.secrets."cf-dns-key".path;
      };
    };
  };
  virtualisation.podman.enable = true;
  hardware = {
    graphics.enable = true;
    nvidia = {
      modesetting.enable = true;
      nvidiaSettings = true;
      open = false;
      package = config.boot.kernelPackages.nvidiaPackages.stable;
    };
    enableRedistributableFirmware = true;
    firmware = [ pkgs.linux-firmware ];
  };
}