{  config, modulesPath, lib, pkgs, ... }:
{
  imports = [
    (modulesPath + "/installer/scan/not-detected.nix")
    (modulesPath + "/profiles/qemu-guest.nix")
    ./vps-disk-config.nix
  ];
  boot.loader.grub = {
    # no need to set devices, disko will add all devices that have a EF02 partition to the list already
    # devices = [ ];
    efiSupport = true;
    efiInstallAsRemovable = true;
  };

  environment.systemPackages = with pkgs; [
    authelia
    curl
    vim
  ];

  networking.hostName = "tien";
  # do not use DHCP, as dashserv provisions IPs using cloud-init (see service below)
  networking.useDHCP = pkgs.lib.mkForce false;
  networking.firewall = {
    enable = true;
    allowedTCPPorts = [ 80 443 ];
    trustedInterfaces = [ "tailscale0" ];
  };

  services.authelia.instances.main = {
    enable = true;
    secrets = {
      jwtSecretFile = "${pkgs.writeText "jwtSecretFile" "supersecretkeyissupersecret"}";
      storageEncryptionKeyFile = "${pkgs.writeText "storageEncryptionKeyFile" "supersecretkeyissupersecret"}";
      sessionSecretFile = "${pkgs.writeText "sessionSecretFile" "supersecretkeyissupersecret"}";
    };
    settings = {
      theme = "auto";
      default_redirection_url = "https://auth.johannes-rothe.de";

      server = {
        host = "127.0.0.1";
        port = 9091;
      };

      log = {
        level = "debug";
        format = "text";
      };

      authentication_backend = {
        #file = {
        #  path = "/var/lib/authelia-main/users_database.yml";
        #};
        password_reset.disable = false;
        refresh_interval = "1m";
        ldap = {
          implementation = "custom";
          url = "ldap://localhost:3890";
          timeout = "5s";
          start_tls = false;
          base_dn = "dc=accounts,dc=johannes-rothe,dc=de";
          additional_users_dn = "ou=people";
          users_filter = "(&({username_attribute}={input})(objectClass=person))";
          additional_groups_dn = "ou=groups";
          groups_filter = "(member={dn})";
          display_name_attribute = "displayName";
          username_attribute = "uid";
          group_name_attribute = "cn";
          mail_attribute = "mail";
          # "bind_user" should be the username you created for authentication with the "lldap_strict_readonly" permission. It is not recommended to use an actual admin account here.
          # If you are configuring Authelia to change user passwords, then the account used here needs the "lldap_password_manager" permission instead.
          user = "uid=bind_user,ou=people,dc=accounts,dc=johannes-rothe,dc=de";
          # Password can also be set using a secret: https://www.authelia.com/docs/configuration/secrets.html
          password = "REPLACE_ME";
        };
      };

      access_control = {
        default_policy = "one_factor";
        rules = [
          #{
          #  domain = ["auth.example.com"];
          #  policy = "bypass";
          #}
          #{
          #  domain = ["*.example.com"];
          #  policy = "one_factor";
          #}
        ];
      };

      session = {
        name = "authelia_session";
        expiration = "12h";
        inactivity = "45m";
        remember_me_duration = "1M";
        domain = "example.com";
        redis.host = "/run/redis-authelia-main/redis.sock";
      };

      regulation = {
        max_retries = 3;
        find_time = "5m";
        ban_time = "15m";
      };

      storage = {
        local = {
          path = "/var/lib/authelia-main/db.sqlite3";
        };
      };

      notifier = {
        disable_startup_check = false;
        filesystem = {
          filename = "/var/lib/authelia-main/notification.txt";
        };
      };
    };
  };

  services.redis.servers.authelia-main = {
    enable = true;
    user = "authelia-main";
    port = 0;
    unixSocket = "/run/redis-authelia-main/redis.sock";
    unixSocketPerm = 600;
  };

  services.headscale = {
      enable = true;
      address = "0.0.0.0";
      port = 8080;
      settings = {
        dns_config.base_domain= "johannes-rothe.de";
        server_url = "https://headscale.johannes-rothe.de";
      };
  };


  services.caddy = {
    enable = true;
    email = lib.strings.concatStrings ["mail" "@" "johannes-rothe.de"];
    virtualHosts = {
      "johannes-rothe.de".extraConfig = ''
        reverse_proxy base:11112
      '';
      "www.johannes-rothe.de".extraConfig = ''
        reverse_proxy base:11112
      '';
      "accounts.johannes-rothe.de".extraConfig = ''
        reverse_proxy localhost:9095
      '';
      "auth.johannes-rothe.de".extraConfig = ''
        reverse_proxy localhost:9091
      '';
      "cloud.johannes-rothe.de".extraConfig = ''
        reverse_proxy base:5002
      '';
      "feeds.johannes-rothe.de".extraConfig = ''
        reverse_proxy base:1990
      '';
      "git.johannes-rothe.de".extraConfig = ''
        reverse_proxy base:3001
      '';
      "headscale.johannes-rothe.de".extraConfig = ''
        reverse_proxy localhost:8080
      '';
      "radicale.johannes-rothe.de".extraConfig = ''
        reverse_proxy base:5232
      '';
    };
  };

  services.cloud-init = {
    enable = true;
    network.enable = true;
    settings = {
      hostname = "tien";
    };
  };

  services.lldap = {
    enable = true;
    settings = {
      http_host = "127.0.0.1";
      http_port = 9095;
      http_url = "https://accounts.johannes-rothe.de";
      ldap_base_dn= "dc=accounts,dc=johannes-rothe,dc=de";
    };
  };

  services.searx = {
    enable = true;
    redisCreateLocally = true;
    settings.server = {
      bind_address = "0.0.0.0";
      port = 8888;
      secret_key = "localonly";
    };
  };


  services.tailscale.enable = true;

  system.stateVersion = "24.05";
}