{
  config,
  pkgs,
  lib,
  inputs,
  ...
}:
{
  nixpkgs.system = "x86_64-linux";
  imports = [
    ./hardware-configuration.nix
    # ./services/attic.nix
    # ./services/immich.nix
    # ./services/jellyfin.nix
    # ./services/paperless.nix
    # ./services/ytdl-sub.nix

  ];
  time.timeZone = "Europe/Berlin";
  networking.hostId = "7b4c2932";

  containers.ds9 = {
    autoStart = true;
    timeoutStartSec = "10000000min";
    privateNetwork = true;
    enableTun = true;
    additionalCapabilities = [
      "CAP_NET_ADMIN"
      "CAP_MKNOD"
      "CAP_BPF"
      "CAP_DAC_READ_SEARCH"
      "CAP_SYS_RESOURCE"
      "CAP_SYS_ADMIN"
    ];
    hostAddress = "192.168.100.10";
    localAddress = "192.168.100.11";
    # hostAddress6 = "fc00::1";
    # localAddress6 = "fc00::2";

    path = inputs.oldConf.nixosConfigurations.ds9.config.system.build.toplevel;

    bindMounts = {
      "/data" = {
        hostPath = "/data";
        isReadOnly = false;
      };
      "/backups" = {
        hostPath = "/backups";
        isReadOnly = false;
      };
      "/persistent" = {
        hostPath = "/oldds9/persistent";
        isReadOnly = false;
      };
      "/var/lib/containers" = {
        hostPath = "/oldds9/persistent/var/lib/containers";
        isReadOnly = false;
      };
    };
  };
  networking.nat.enable = true;
  networking.nat.enableIPv6 = true;
  networking.nat.internalInterfaces = [ "ve-+" ];
  networking.nat.externalInterface = "enp1s0f1"; # TODO: changeme

  services.traefik.dynamicConfigOptions.http.routers.simpleproxy-oldds9-router.rule =
    lib.mkForce "HostRegexp(`^.+\.hailsatan\.eu$`)";
  # services.traefik.dynamicConfigOptions.http.routers.simpleproxy-oldds9-router.tls.options = "old";
  services.traefik.dynamicConfigOptions.http.routers.simpleproxy-oldds9-router-robotstxt.rule =
    lib.mkForce "HostRegexp(`^.+\.hailsatan\.eu$`) && Path(`/robots.txt`)";
  xyno.services.traefik = {
    enable = true;
    simpleProxy.oldds9 = {
      host = "*.hailsatan.eu";
      internal = "http://192.168.100.11";
    };
  };

  users.users.root.password = "hunter2";

  systemd.services."dyndns-refresh" = {
    script = ''
      set -eu
      export PATH=$PATH:${pkgs.curl}/bin:${pkgs.jq}/bin:${pkgs.iproute2}/bin
      ${pkgs.bash}/bin/bash ${config.sops.secrets.dyndns.path}
    '';
    serviceConfig = {
      Type = "oneshot";
      User = "root";
    };
    startAt = "*:0/10";
  };
  sops.secrets.dyndns = {
    sopsFile = ./secrets/dyndns.yaml;
  };

  xyno.presets.cli.enable = true;
  xyno.presets.server.enable = true;
  xyno.impermanence.enable = true;
  # xyno.services.wireguard.enable = true;
  # xyno.services.caddy.enable = true;
  # xyno.services.monitoring.enable = true;
  # xyno.services.authentik.enable = true;
  xyno.presets.home-manager.enable = true;
  xyno.system.user.enable = true;
  xyno.networking.networkd = {
    enable = true;
  };
  networking.useDHCP = lib.mkForce false;
  networking.interfaces."enp1s0f1" = {
    useDHCP = true;
    tempAddress = "enabled";
  };
  systemd.network.networks."40-enp1s0f1" = {
    networkConfig = {
      IPv6AcceptRA = true;
    };
  };

  system.stateVersion = "25.11";
}