{
  config,
  inputs,
  lib,
  this,
  ...
}:
with lib; {
  secrets = {
    wireguard-private-key-yavanna.file = "${inputs.self}/secrets/wireguard-private-key-yavanna";

    syncthing-cert-yavanna = with config.services.syncthing; {
      file = "${inputs.self}/secrets/syncthing-cert-yavanna";
      owner = user;
      inherit group;
    };

    syncthing-key-yavanna = with config.services.syncthing; {
      file = "${inputs.self}/secrets/syncthing-key-yavanna";
      owner = user;
      inherit group;
    };
  };

  nixfiles.modules = {
    wireguard = {
      privateKeyFile = config.secrets.wireguard-private-key-yavanna.path;
      client.enable = true;
    };

    syncthing = with config.secrets; {
      enable = true;
      key = syncthing-key-yavanna.path;
      cert = syncthing-cert-yavanna.path;
    };

    acme.enable = true;

    rtorrent = {
      enable = true;
      flood.enable = true;
    };
  };

  networking = let
    interface = "eth0";
  in {
    interfaces.${interface} = {
      ipv4.addresses = [
        {
          inherit (this.ipv4) address;
          prefixLength = 24;
        }
      ];

      ipv6.addresses = [
        {
          inherit (this.ipv6) address;
          prefixLength = 128;
        }
      ];
    };

    defaultGateway = {
      inherit interface;
      address = this.ipv4.gateway;
    };

    defaultGateway6 = {
      inherit interface;
      address = this.ipv6.gateway;
    };
  };

  boot = {
    loader.grub = {
      enable = true;
      device = "/dev/sda";
    };

    initrd = {
      availableKernelModules = ["uhci_hcd" "ahci"];
      kernelModules = ["nvme"];
    };
  };

  fileSystems."/" = {
    device = "/dev/sda1";
    fsType = "ext4";
    options = ["noatime"];
  };

  swapDevices = [
    {
      device = "/swapfile";
      size = 4 * 1024;
    }
  ];
}