{
  config,
  pkgs,
  lib,
  ...
}: {
  imports = [
    ./services/gitea.nix
    ./services/nextcloud.nix
    ./services/webserver.nix
    ./services/starbound.nix
    ./services/postgres.nix
    ./ids.nix
    ./sops.nix
  ];

  nix = {
    package = pkgs.nixFlakes;
    extraOptions = ''
      experimental-features = nix-command flakes
    '';

    # Enable remote builds from tlater
    trustedUsers = ["@wheel"];
  };

  nixpkgs.config.allowUnfreePredicate = pkg:
    builtins.elem (lib.getName pkg) ["steam-runtime" "steamcmd"];

  # Optimization for minecraft servers, see:
  # https://bugs.mojang.com/browse/MC-183518
  boot.kernelParams = ["highres=off" "nohz=off"];

  networking = {
    hostName = "tlaternet";

    usePredictableInterfaceNames = false;
    useDHCP = false;
    interfaces.eth0.useDHCP = true;

    firewall.allowedTCPPorts = [80 443 2222 21025];
  };

  time.timeZone = "Europe/London";

  users.users.tlater = {
    isNormalUser = true;
    extraGroups = ["wheel"];
    openssh.authorizedKeys.keyFiles = [../keys/tlater.pub];
  };

  services.openssh = {
    enable = true;
    allowSFTP = false;
    passwordAuthentication = false;
    permitRootLogin = "no";
    ports = [2222];
    startWhenNeeded = true;
    gatewayPorts = "yes";
  };

  services.nginx = {
    enable = true;
    recommendedTlsSettings = true;
    recommendedOptimisation = true;
    recommendedGzipSettings = true;
    recommendedProxySettings = true;
    clientMaxBodySize = "10G";
    domain = "tlater.net";

    virtualHosts = let
      proxyPassToPort = port: extra:
        lib.recursiveUpdate {
          forceSSL = true;
          enableACME = true;
          locations."/".proxyPass = "http://127.0.0.1:${toString port}";
          extraConfig = ''
            add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
          '';
        }
        extra;
      domain = config.services.nginx.domain;
    in {
      "${domain}" = proxyPassToPort 3002 {serverAliases = ["www.${domain}"];};
    };
  };

  security.acme = {
    email = "tm@tlater.net";
    acceptTerms = true;
  };

  virtualisation.oci-containers.backend = "podman";

  system.stateVersion = "20.09";
}