{
  config,
  modulesPath,
  pkgs,
  lib,
  ...
}:

{
  imports = [ (modulesPath + "/virtualisation/proxmox-lxc.nix") ];

  systemd.suppressedSystemUnits = [
    "dev-mqueue.mount"
    "sys-kernel-debug.mount"
    "sys-fs-fuse-connections.mount"
  ];

  nix = {
    optimise = {
      automatic = true;
      dates = [ "11:00" ];
    };
    settings = {
      auto-optimise-store = true;
      sandbox = false;
      # Allow remote updates
      trusted-users = [
        "root"
        "@wheel"
      ];
      experimental-features = [
        "nix-command"
        "flakes"
      ];
    };
    gc = {
      automatic = true;
      options = "--delete-older-then 14d";
    };
  };

  nixpkgs.hostPlatform = "x86_64-linux";

  environment.systemPackages = with pkgs; [
    vim
    git
  ];

  proxmoxLXC = {
    manageNetwork = false;
    manageHostName = false;
    privileged = true;
  };

  users.users.root = {
    packages = with pkgs; [
      kitty # for terminfo
      neofetch # for shits and giggles
    ];
    openssh.authorizedKeys.keys = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICW1+Ml8R9x1LCJaZ8bIZ1qIV4HCuZ6x7DziFW+0Nn5T xengi@kanae_2022-12-09"
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICmb+mJfo84IagUaRoDEqY9ROjjQUOQ7tMclpN6NDPrX xengi@kota_2022-01-16"
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICyklb7dvEHH0VBEMmTUQFKHN6ekBQqkDKj09+EilUIQ xengi@lucy_2018-09-08"
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICjv9W8WXq9QGkgmANNPQR24/I1Pm1ghxNIHftEI+jlZ xengi@mayu_2021-06-11"
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGhyfD+8jMl6FDSADb11sfAsJk0KNoVzjjiDRZjUOtmf xengi@nana_2019-08-16"
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMPtGqhV7io3mhIoZho4Yf7eCo0sUZvjT2NziM2PkXSo xengi@nyu_2017-10-11"
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILwYcSxbP6Hon//kZFIZJSHdqvsJ6AyCwH4JP9/t4q46 xengi@yuka_2020-12-16"
    ];
  };

  networking = {
    useNetworkd = true;
    nftables.enable = true;
    dhcpcd.enable = false;
    firewall = {
      enable = true;
      allowedTCPPorts = [
        22 # SSH
        80 # HTTP/1
        443 # HTTP/2
        8448 # Matrix federation
      ];
      allowedUDPPorts = [
        443 # HTTP/3
      ];
    };
  };

  time.timeZone = "Europe/Berlin";
  i18n.defaultLocale = "en_US.UTF-8";
  console.font = "Lat2-Terminus16";

  services = {
    fstrim.enable = false; # Let Proxmox host handle fstrim
    openssh = {
      enable = true;
      openFirewall = true;
      settings = {
        PermitEmptyPasswords = "no";
        PermitRootLogin = "prohibit-password";
        PasswordAuthentication = false;
        KbdInteractiveAuthentication = false;
      };
      banner = ''
                            __                                               __
                           /\ \__         __                                /\ \
          ___ ___      __  \ \ ,_\  _ __ /\_\   __  _      ___    ___    ___\ \ \____
        /' __` __`\  /'__`\ \ \ \/ /\`'__\/\ \ /\ \/'\    /'___\ /'___\ /'___\ \ '__`\
        /\ \/\ \/\ \/\ \L\.\_\ \ \_\ \ \/ \ \ \\/>  </   /\ \__//\ \__//\ \__/\ \ \L\ \
        \ \_\ \_\ \_\ \__/.\_\\ \__\\ \_\  \ \_\/\_/\_\  \ \____\ \____\ \____\\ \_,__/
         \/_/\/_/\/_/\/__/\/_/ \/__/ \/_/   \/_/\//\/_/   \/____/\/____/\/____/ \/___/
      '';
    };
    # Cache DNS lookups to improve performance
    resolved = {
      enable = true;
      fallbackDns = [
        "1.1.1.1#one.one.one.one"
        "9.9.9.9#dns.quad9.net"
      ];
      dnssec = "allow-downgrade";
      dnsovertls = "true";
      extraConfig = ''
        Cache=true
        CacheFromLocalhost=true
      '';
    };
  };

  programs = {
    vim = {
      enable = true;
      defaultEditor = true;
    };
    htop = {
      enable = true;
    };
    ssh.startAgent = true;
  };

  security = {
    acme = {
      acceptTerms = true;
      defaults = {
        validMinDays = 14;
        renewInterval = "daily";
        email = "acme@xengi.de";
        group = "nginx";
        webroot = "/var/lib/acme/acme-challenges";
      };
    };
  };

  system.stateVersion = "25.05";
}