{
  config,
  pkgs,
  lib,
  modulesPath,
  ...
}: {
  imports = [
    "${modulesPath}/profiles/headless.nix"
    "${modulesPath}/profiles/minimal.nix"
    (import ../modules)

    ./services/conduit.nix
    ./services/gitea.nix
    ./services/nextcloud.nix
    ./services/webserver.nix
    ./services/starbound.nix
    ./services/postgres.nix
    ./sops.nix
  ];

  nixpkgs.overlays = [
    (final: prev: {
      local = import ../pkgs {
        pkgs = prev;
        lib = prev.lib;
      };
    })
  ];

  nix = {
    package = pkgs.nixFlakes;
    extraOptions = ''
      experimental-features = nix-command flakes
    '';

    # Enable remote builds from tlater
    settings.trusted-users = ["@wheel"];
  };

  nixpkgs.config.allowUnfreePredicate = pkg:
    builtins.elem (lib.getName pkg) ["steam-original" "steam-runtime" "steam-run" "steamcmd"];

  # Optimization for minecraft servers, see:
  # https://bugs.mojang.com/browse/MC-183518
  boot.kernelParams = ["highres=off" "nohz=off"];

  networking = {
    hostName = "tlaternet";

    usePredictableInterfaceNames = false;
    useDHCP = false;
    interfaces.eth0.useDHCP = true;

    firewall = {
      allowedTCPPorts = [
        # http
        80
        443
        # ssh
        2222
        # matrix
        8448
        # starbound
        21025
        # Minecraft
        25565

        config.services.coturn.listening-port
        config.services.coturn.tls-listening-port
        config.services.coturn.alt-listening-port
        config.services.coturn.alt-tls-listening-port
      ];

      allowedUDPPorts = [
        # More minecraft
        25565

        config.services.coturn.listening-port
        config.services.coturn.tls-listening-port
        config.services.coturn.alt-listening-port
        config.services.coturn.alt-tls-listening-port
      ];

      allowedUDPPortRanges = [
        {
          from = config.services.coturn.min-port;
          to = config.services.coturn.max-port;
        }
      ];
    };
  };

  time.timeZone = "Europe/London";

  users.users.tlater = {
    isNormalUser = true;
    extraGroups = ["wheel"];
    openssh.authorizedKeys.keyFiles = [../keys/tlater.pub];
  };

  services.openssh = {
    enable = true;
    allowSFTP = false;
    passwordAuthentication = false;
    permitRootLogin = "no";
    ports = [2222];
    startWhenNeeded = true;
    gatewayPorts = "yes";
  };

  security = {
    sudo.execWheelOnly = true;

    pam = {
      enableSSHAgentAuth = true;
      services.sudo.sshAgentAuth = true;
    };
  };

  services.nginx = {
    enable = true;
    recommendedTlsSettings = true;
    recommendedOptimisation = true;
    recommendedGzipSettings = true;
    recommendedProxySettings = true;
    clientMaxBodySize = "10G";
    domain = "tlater.net";
  };

  security.acme = {
    defaults.email = "tm@tlater.net";
    acceptTerms = true;
  };

  services.fail2ban = {
    enable = true;
    extraPackages = [pkgs.ipset];
    banaction = "iptables-ipset-proto6-allports";
    bantime-increment.enable = true;

    jails = {
      nginx-botsearch = ''
        enabled = true
        logpath = /var/log/nginx/access.log
      '';
    };

    ignoreIP = [
      "127.0.0.0/8"
      "10.0.0.0/8"
      "172.16.0.0/12"
      "192.168.0.0/16"
    ];
  };

  # Remove some unneeded packages
  environment.defaultPackages = [];

  system.stateVersion = "20.09";
}