{
  config,
  pkgs,
  lib,
  modulesPath,
  flake-inputs,
  ...
}:
{
  imports = [
    flake-inputs.disko.nixosModules.disko
    flake-inputs.sops-nix.nixosModules.sops
    flake-inputs.tlaternet-webserver.nixosModules.default

    "${modulesPath}/profiles/minimal.nix"
    (import ../modules)

    ./services/backups.nix
    ./services/battery-manager.nix
    ./services/conduit
    ./services/crowdsec.nix
    ./services/foundryvtt.nix
    ./services/gitea.nix
    ./services/metrics
    ./services/minecraft.nix
    ./services/nextcloud.nix
    ./services/webserver.nix
    ./services/wireguard.nix
    # ./services/starbound.nix -- Not currently used
    ./services/postgres.nix
    ./nginx.nix
    ./sops.nix
  ];

  nixpkgs.overlays = [
    (final: prev: {
      local = import ../pkgs {
        pkgs = prev;
      };
    })
  ];

  nix = {
    extraOptions = ''
      experimental-features = nix-command flakes
    '';

    # Enable remote builds from tlater
    settings.trusted-users = [ "@wheel" ];
  };

  # Optimization for minecraft servers, see:
  # https://bugs.mojang.com/browse/MC-183518
  boot.kernelParams = [
    "highres=off"
    "nohz=off"
  ];

  networking = {
    usePredictableInterfaceNames = false;
    useDHCP = false;

    firewall = {
      allowedTCPPorts = [
        # http
        80
        443
        # ssh
        2222
        # matrix
        8448
        # starbound
        21025

        config.services.coturn.listening-port
        config.services.coturn.tls-listening-port
        config.services.coturn.alt-listening-port
        config.services.coturn.alt-tls-listening-port
      ];

      allowedUDPPorts = [
        config.services.coturn.listening-port
        config.services.coturn.tls-listening-port
        config.services.coturn.alt-listening-port
        config.services.coturn.alt-tls-listening-port
      ];

      allowedUDPPortRanges = [
        {
          from = config.services.coturn.min-port;
          to = config.services.coturn.max-port;
        }
      ];
    };
  };

  systemd.network.enable = true;

  time.timeZone = "Europe/London";

  users.users.tlater = {
    isNormalUser = true;
    extraGroups = [ "wheel" ];
    openssh.authorizedKeys.keyFiles = [ ../keys/tlater.pub ];
  };

  services = {
    openssh = {
      enable = true;
      allowSFTP = false;
      ports = [ 2222 ];
      startWhenNeeded = true;

      settings = {
        GatewayPorts = "yes";
        PermitRootLogin = "no";
        PasswordAuthentication = false;
      };
    };

    logrotate.enable = true;
  };

  security = {
    sudo.execWheelOnly = true;

    pam = {
      sshAgentAuth = {
        enable = true;
        authorizedKeysFiles = [ "/etc/ssh/authorized_keys.d/%u" ];
      };
      services.sudo.sshAgentAuth = true;
    };
  };

  # Remove some unneeded packages
  environment.defaultPackages = [ ];

  system.stateVersion = "20.09";
}