{ config, pkgs, lib, ... }: {
  imports = [ ./hardware-configuration.nix ];

  services.sshd.enable = true;

  environment.systemPackages = [ pkgs.git ];

  networking.hostName = "host";

  security.acme.email = "contact@ingolf-wagner.de";
  security.acme.acceptTerms = true;

  # the public ssh key used at deployment
  users.users.root.openssh.authorizedKeys.keys = [
    "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC6uza62+Go9sBFs3XZE2OkugBv9PJ7Yv8ebCskE5WYPcahMZIKkQw+zkGI8EGzOPJhQEv2xk+XBf2VOzj0Fto4nh8X5+Llb1nM+YxQPk1SVlwbNAlhh24L1w2vKtBtMy277MF4EP+caGceYP6gki5+DzlPUSdFSAEFFWgN1WPkiyUii15Xi3QuCMR8F18dbwVUYbT11vwNhdiAXWphrQG+yPguALBGR+21JM6fffOln3BhoDUp2poVc5Qe2EBuUbRUV3/fOU4HwWVKZ7KCFvLZBSVFutXCj5HuNWJ5T3RuuxJSmY5lYuFZx9gD+n+DAEJt30iXWcaJlmUqQB5awcB1S2d9pJ141V4vjiCMKUJHIdspFrI23rFNYD9k2ZXDA8VOnQE33BzmgF9xOVh6qr4G0oEpsNqJoKybVTUeSyl4+ifzdQANouvySgLJV/pcqaxX1srSDIUlcM2vDMWAs3ryCa0aAlmAVZIHgRhh6wa+IXW8gIYt+5biPWUuihJ4zGBEwkyVXXf2xsecMWCAGPWPDL0/fBfY9krNfC5M2sqxey2ShFIq+R/wMdaI7yVjUCF2QIUNiIdFbJL6bDrDyHnEXJJN+rAo23jUoTZZRv7Jq3DB/A5H7a73VCcblZyUmwMSlpg3wos7pdw5Ctta3zQPoxoAKGS1uZ+yTeZbPMmdbw=="
  ];

  #               +                                       +
  #               |                                       |
  #               |                                       |
  #               v                                       v
  #          80, 443 TCP                          443 TCP, 10000 UDP
  #       +--------------+                     +---------------------+
  #       |  nginx       |  5222, 5347 TCP     |                     |
  #       |  jitsi-meet  |<-------------------+|  jitsi-videobridge  |
  #       |  prosody     |         |           |                     |
  #       |  jicofo      |         |           +---------------------+
  #       +--------------+         |
  #                                |           +---------------------+
  #                                |           |                     |
  #                                +----------+|  jitsi-videobridge  |
  #                                |           |                     |
  #                                |           +---------------------+
  #                                |
  #                                |           +---------------------+
  #                                |           |                     |
  #                                +----------+|  jitsi-videobridge  |
  #                                            |                     |
  #                                            +---------------------+

  # This is a one server setup
  services.jitsi-meet = {
    enable = true;
    hostName = "meet.palovandalo.com";

    # JItsi COnference FOcus is a server side focus component used in Jitsi Meet conferences.
    # https://github.com/jitsi/jicofo
    jicofo.enable = true;

    # Whether to enable nginx virtual host that will serve the javascript application and act as a proxy for the XMPP server.
    #  Further nginx configuration can be done by adapting services.nginx.virtualHosts.<hostName>. When this is enabled, ACME
    #  will be used to retrieve a TLS certificate by default. To disable this, set the
    #  services.nginx.virtualHosts.<hostName>.enableACME to false and if appropriate do the same for
    #  services.nginx.virtualHosts.<hostName>.forceSSL.
    nginx.enable = true;

    # https://github.com/jitsi/jitsi-meet/blob/master/config.js
    config = {
      enableWelcomePage = false;
      defaultLang = "en";

    };

    # https://github.com/jitsi/jitsi-meet/blob/master/interface_config.js
    interfaceConfig = {
      SHOW_JITSI_WATERMARK = false;
      SHOW_WATERMARK_FOR_GUESTS = false;
    };

  };

  # todo : ssh nur mit ssh key machen 

  networking.firewall = {
    allowedTCPPorts = [ 80 443 ];
    allowedUDPPorts = [ 10000 ];
  };

}