{ config, pkgs, lib, ... }: {
  imports = [

    ../../system/proxy
    ./hardware-configuration.nix

    ../../system/server/packages.nix
    ./nginx.nix
    ./tinc.nix
    ./bitwarden.nix
    #./codimd.nix
    #./syncplay.nix
    ./grocy.nix

  ];

  sops.defaultSopsFile = ../../secrets/sputnik.yaml;
  networking.hostName = "sputnik";
  networking.useDHCP = true;

  boot.kernelParams = [ "net.ifnames=0" ];
  boot.loader.grub = {
    enable = true;
    version = 2;
    device = "/dev/sda";
  };

  # nix-shell -p speedtest_cli --run speedtest
  configuration.fireqos = {
    enable = true;
    interface = "eth0";
    input = 55000;
    output = 4000;
    balance = false;
  };

  services.custom.ssh.sshd.rootKeyFiles =
    [ ../../assets/ssh/jenkins.pub ];

  # make sure ssh is only available trough the tinc
  networking.firewall.extraCommands = ''
    iptables -t nat -A PREROUTING ! -i tinc.private -p tcp -m tcp --dport 22 -j REDIRECT --to-ports 0
  '';

  # enable all subdomains to be reached to make nginx rules easier
  services.dnsmasq = with lib; {
    enable = true;
    extraConfig = ''
      ${concatStringsSep "\n"
      (flip mapAttrsToList config.module.cluster.services.tinc."private".hosts
        (name: attrs: "address=/.${name}.private/${attrs.tincIp}"))}
    '';
  };

}