{  modulesPath, lib, pkgs, ... }:
{
  imports = [
    (modulesPath + "/installer/scan/not-detected.nix")
    (modulesPath + "/profiles/qemu-guest.nix")
    ./disk-config.nix
  ];
  boot.loader.grub = {
    # no need to set devices, disko will add all devices that have a EF02 partition to the list already
    # devices = [ ];
    efiSupport = true;
    efiInstallAsRemovable = true;
  };

  environment.systemPackages = with pkgs; [
    curl
  ];

  networking.hostName = "tien";
  # do not use DHCP, as dashserv provisions IPs using cloud-init (see service below)
  networking.useDHCP = pkgs.lib.mkForce false;
  networking.firewall = {
    enable = true;
    allowedTCPPorts = [ 80 443 ];
    trustedInterfaces = [ "tailscale0" ];
  };

  services.caddy = {
    enable = true;
    email = lib.strings.concatStrings ["mail" "@" "johannes-rothe.de"];
    virtualHosts = {
      "johannes-rothe.de".extraConfig = ''
        reverse_proxy base:11112
      '';
      "www.johannes-rothe.de".extraConfig = ''
        reverse_proxy base:11112
      '';
      "cloud.johannes-rothe.de".extraConfig = ''
        reverse_proxy base:5002
      '';
      "feeds.johannes-rothe.de".extraConfig = ''
        reverse_proxy base:1990
      '';
      "git.johannes-rothe.de".extraConfig = ''
        reverse_proxy base:3001
      '';
      "radicale.johannes-rothe.de".extraConfig = ''
        reverse_proxy base:5232
      '';
    };
  };

  services.cloud-init = {
    enable = true;
    network.enable = true;
    settings = {
      hostname = "tien";
    };
  };

  services.searx = {
    enable = true;
    redisCreateLocally = true;
    settings.server = {
      bind_address = "0.0.0.0";
      port = 8888;
      secret_key = "localonly";
    };
  };


  services.tailscale.enable = true;

  system.stateVersion = "24.05";
}