{ config, pkgs, ... }:
{
  environment = {
    enableAllTerminfo = true;
    systemPackages = with pkgs; [ git vim ];
  };

  imports = [ ./vpsadminos.nix ];

  networking = {
    domain = "loang.net";

    firewall = {
      allowedTCPPorts = [
        80 # HTTP
        443 # TLS
        2211 # SSH
        4001 # IPFS
      ];
      allowedUDPPorts = [
        4001 # IPFS
      ];
    };

    hostName = "brno";
  };

  security = {
    acme = {
      acceptTerms = true;
      defaults.email = "mcsinyx@disroot.org";
    };

    sudo = {
      enable = true;
      execWheelOnly = true;
      wheelNeedsPassword = false;
    };
  };

  services = {
    nginx = {
      enable = true;
      virtualHosts = let
        users = config.users.users;
      in {
        "loang.net" = {
          enableACME = true;
          forceSSL = true;
          root = "/var/www/loang.net";
        };
        "cnx.loang.net" = {
          enableACME = true;
          forceSSL = true;
          root = "${users.cnx.home}/web";
        };
      };
    };

    ipfs = {
      enable = true;
      enableGC = true;
    };

    openssh = {
      enable = true;
      passwordAuthentication = false;
      ports = [ 2211 ];
    };
  };

  system.stateVersion = "22.05";

  systemd.extraConfig = ''
    DefaultTimeoutStartSec=900s
  '';

  time.timeZone = "UTC";

  users.users = {
    ckie = {
      isNormalUser = true;
      openssh.authorizedKeys.keyFiles = [ "/etc/ssh/ckie.pub" ];
    };

    cnx = {
      extraGroups = [ "wheel" ];
      isNormalUser = true;
      openssh.authorizedKeys.keyFiles = [ "/etc/ssh/cnx.pub" ];
      packages = with pkgs; [ stow ];
    };

    xarvos = {
      isNormalUser = true;
      openssh.authorizedKeys.keyFiles = [ "/etc/ssh/xarvos.pub" ];
    };
  };
}