{
  config,
  inputs,
  lib,
  this,
  ...
}:
with lib; {
  secrets.wireguard-private-key-varda.file = "${inputs.self}/secrets/wireguard-private-key-varda";

  nixfiles.modules = {
    wireguard = {
      privateKeyFile = config.secrets.wireguard-private-key-varda.path;
      client.enable = true;
    };

    acme.enable = true;

    rss-bridge.enable = true;
    radicale.enable = true;
  };

  networking = let
    interface = "eth0";
  in {
    interfaces.${interface} = {
      ipv4.addresses = [
        {
          inherit (this.ipv4) address;
          prefixLength = 22;
        }
      ];

      ipv6.addresses = [
        {
          inherit (this.ipv6) address;
          prefixLength = 64;
        }
      ];
    };

    defaultGateway = {
      inherit interface;
      address = this.ipv4.gateway;
    };

    defaultGateway6 = {
      inherit interface;
      address = this.ipv6.gateway;
    };
  };

  boot = {
    loader.grub = {
      enable = true;
      device = "/dev/sda";
    };

    initrd = {
      luks.devices.nixos = {
        device = "/dev/sda2";
        allowDiscards = true;
        bypassWorkqueues = true;
      };

      network = {
        enable = true;
        ssh = {
          enable = true;
          port = head config.services.openssh.ports;
          hostKeys = map (k: k.path) config.services.openssh.hostKeys;
          authorizedKeys = config.my.openssh.authorizedKeys.keys;
        };
      };

      availableKernelModules = ["ata_piix" "sd_mod" "sr_mod" "uhci_hcd" "virtio_pci" "virtio_scsi"];
    };
  };

  fileSystems = {
    "/boot" = {
      device = "LABEL=boot";
      fsType = "xfs";
      options = ["noatime"];
    };

    "/" = {
      device = "LABEL=nixos";
      fsType = "xfs";
      options = ["noatime"];
    };
  };

  system.stateVersion = "22.05";
}