{
  lib,
  config,
  pkgs,
  modulesPath,
  ...
}:
{
  imports = [

    (modulesPath + "/profiles/hardened.nix")

    ./hardware-configuration

    ../../system/all/defaults.nix

    ./service-forgejo-runner.nix
    ./service-forgejo.nix
    ./service-hedgedoc.nix
    ./service-nix-cache.nix
    ./service-photoprism.nix
    #    ./service-surrealdb.nix # not really needed at the moment
    ./service-taskchampion.nix
    ./service-vaultwarden.nix
    ./service-wastebin.nix

    ./nginx-ingolf-wagner-de.nix
    ./nginx-wkd.nix

    ./network-tinc.nix
    ./network-wireguard.nix

    ./media-arr.nix
    ./media-jellyfin.nix
    ./media-nextcloud.nix
    ./media-share.nix
    ./media-syncthing.nix
    ./media-transmission2.nix

    #./social-jitsi.nix
    ./social-matrix-terranix.nix

    ./topology.nix

  ];

  networking.firewall.enable = true;
  boot.kernel.sysctl."net.ipv4.ip_forwarding" = false;

  services.logrotate.checkConfig = false; # because uid 3000 does not exist in here

  networking.hostName = "orbi";

  components.terminal.enable = true;
  components.mainUser.enable = true;
  components.gui.enable = false;
  components.network.enable = true;
  components.network.nginx.landingpage.enable = false;
  components.network.wifi.enable = false;

  components.virtualisation.enable = true; # we only enable this stuff where we need it explicitly
  components.virtualisation.podman.enable = false;
  components.virtualisation.virtualbox.enable = false;

  virtualisation.oci-containers.backend = "docker";

  features.network.fail2ban.enable = true;
  features.boot.ssh.enable = true;

  telemetry.enable = true;
  telemetry.apps.opentelemetry.receiver.endpoint = "0.0.0.0:4317";
  telemetry.apps.opentelemetry.exporter.endpoint = "10.100.0.2:4317"; # chnungus
  networking.firewall.interfaces.wg0.allowedTCPPorts = [ 4317 ];
  networking.firewall.interfaces.wg0.allowedUDPPorts = [ 4317 ];
  healthchecks.closed.public.ports.opentelemetry = [ 4317 ];

  security.acme.acceptTerms = true;
  security.acme.defaults.email = "contact@ingolf-wagner.de";

  healthchecks.closed.wg0.host = "10.100.0.1";
  healthchecks.closed.public.host = "orbi.public";

  # chungus rsync
  users.users.root.openssh.authorizedKeys.keys = [
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJkqVvuJSvRMO5pG2CHNNBxjB7HlJudK4TQs3BhbOWOD"
  ];

  # todo : need this for syncoid
  environment.systemPackages = [
    pkgs.mbuffer
    pkgs.lzop
    pkgs.gzip
  ];

}