{ my, pkgs, ... }:

let
  hetznerWanIfName = "enp1s0";
  hetznerWanNetwork = {
    matchConfig.Name = hetznerWanIfName;
    routes = [
      {
        routeConfig = {
          Gateway = "172.31.1.1";
          GatewayOnLink = true;
        };
      }
      { routeConfig.Gateway = "fe80::1"; }
    ];
    dns = [ "185.12.64.1" "185.12.64.2" ];
    linkConfig.RequiredForOnline = "routable";
  };
in {
  imports = [
    ../secrets/machines/fort.nix
    ../secrets/morph/acme.nix
    ../secrets/morph/matrix.nix
    ../secrets/morph/restic.nix
    ../secrets/morph/wireguard
    ../services/conduit.nix
    ../services/fail2ban.nix
    ../services/matrix-hookshot.nix
    ../services/nginx.nix
    ../services/node-exporter.nix
    ../services/web/c8h4-io.nix
    ../system/virtual-machine.nix
  ];

  system.stateVersion = "23.05";

  boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "sd_mod" "sr_mod" ];
  boot.loader.grub.device = "/dev/sda";

  boot.kernel.sysctl."net.ipv4.ip_forward" = 1;

  fileSystems."/" = {
    device = "/dev/disk/by-uuid/0ec38da7-36b2-437c-b4dd-45d5ed620979";
    fsType = "btrfs";
    options = [ "noatime" "subvol=@" ];
  };

  fileSystems."/boot" = {
    device = "/dev/disk/by-uuid/0ec38da7-36b2-437c-b4dd-45d5ed620979";
    fsType = "btrfs";
    options = [ "noatime" "subvol=@boot" ];
  };

  fileSystems."/home" = {
    device = "/dev/disk/by-uuid/0ec38da7-36b2-437c-b4dd-45d5ed620979";
    fsType = "btrfs";
    options = [ "subvol=@home" ];
  };

  fileSystems."/nix" = {
    device = "/dev/disk/by-uuid/0ec38da7-36b2-437c-b4dd-45d5ed620979";
    fsType = "btrfs";
    options = [ "noatime" "compress=zstd" "subvol=@nix" ];
  };

  fileSystems."/var/log" = {
    device = "/dev/disk/by-uuid/0ec38da7-36b2-437c-b4dd-45d5ed620979";
    fsType = "btrfs";
    options = [ "noatime" "compress=zstd" "subvol=@log" ];
  };

  environment.systemPackages = with pkgs; [ wireguard-tools ];

  networking.hosts = my.homelab.hosts;

  networking.firewall.allowedUDPPorts = with my.wireguard.netdevs; [
    c8h4.wireguardConfig.ListenPort
    airlab.wireguardConfig.ListenPort
  ];

  networking.useDHCP = false;

  systemd.network = {
    enable = true;
    networks = {
      "10-wan" = hetznerWanNetwork // {
        address = [ "128.140.95.112/32" "2a01:4f8:c17:6f57::1/64" ];
      };
      "40-wg-c8h4" = my.wireguard.networks.c8h4;
      "41-wg-airlab" = my.wireguard.networks.airlab;
    };
    netdevs = {
      "40-wg-c8h4" = my.wireguard.netdevs.c8h4;
      "41-wg-airlab" = my.wireguard.netdevs.airlab;
    };
  };
}