{ flake, pkgs, lib, ... }:
{
  imports = with flake.nixosModules.systemProfiles; [
    qemu-guest openssh rebuild-machines ./zfs.nix ./dns ./tls.nix
  ];

  config = {
    nixpkgs = {
      system = "x86_64-linux";
    };

    networking.hostId = "a64cf4d7";
    environment.etc."machine-id".text = "a64cf4d793ab0a0ed3892ead609fc0bc";

    boot = {
      loader.grub = {
        enable = true;
        version = 2;
        device = "/dev/vda";
      };

      kernelPackages = pkgs.linuxPackages_latest;

      tmpOnTmpfs = true;

      supportedFilesystems = [ "zfs" ];
      zfs = {
        enableUnstable = true;
        devNodes = "/dev"; # /dev/vda2 does not show up in /dev/disk/by-id
      };

      kernelModules = ["ptp_kvm"];
    };

    fileSystems = {
      "/" = {
        fsType = "tmpfs";
        options = [ "mode=0755" ];
      };

      "/boot" =
        { device = "/dev/disk/by-label/boot";
          fsType = "vfat";
        };
    };

    networking = {
      hostName = "surtr";
      domain = "yggdrasil";
      search = [ "yggdrasil" ];

      enableIPv6 = true;
      dhcpcd.enable = false;
      useDHCP = false;
      useNetworkd = true;
      defaultGateway = { address = "202.61.240.1"; };
      defaultGateway6 = { address = "fe80::1"; };
      interfaces."ens3" = {
        ipv4.addresses = [
          { address = "202.61.241.61"; prefixLength = 22; }
        ];
        ipv6.addresses = [
          { address = "2a03:4000:52:ada::"; prefixLength = 64; }
        ];
      };

      firewall.enable = false;
      nftables = {
        enable = true;
        rulesetFile = ./ruleset.nft;
      };

      firewall = {
        enable = true;
        allowPing = true;
        allowedTCPPorts = [
          22 # ssh
        ];
        allowedUDPPorts = [
          51820 51821 # wireguard
        ];
        allowedUDPPortRanges = [
          { from = 60000; to = 61000; } # mosh
        ];
      };
    };

    systemd.network.networks."40-ens3".networkConfig = {
      Domains = lib.mkForce "~.";
      DNS = [ "46.38.225.230" "46.38.252.230" "2a03:4000:0:1::e1e6" "2a03:4000:8000::fce6" ];
    };

    services.timesyncd.enable = false;
    services.chrony = {
      enable = true;
      servers = [];
      extraConfig = ''
        pool time.cloudflare.com iburst nts
        pool nts.ntp.se iburst nts
        server nts.sth1.ntp.se iburst nts
        server nts.sth2.ntp.se iburst nts
        server ptbtime1.ptb.de iburst nts
        server ptbtime2.ptb.de iburst nts
        server ptbtime3.ptb.de iburst nts

        refclock PHC /dev/ptp_kvm poll 2 dpoll -2 offset 0 stratum 3

        makestep 0.1 3

        cmdport 0
      '';
    };

    services.openssh = {
      enable = true;
      passwordAuthentication = false;
      challengeResponseAuthentication = false;
      extraConfig = ''
        AllowGroups ssh
      '';
    };
    users.groups."ssh" = {
      members = ["root"];
    };

    security.sudo.extraConfig = ''
      Defaults lecture = never
    '';

    nix.gc = {
      automatic = true;
      options = "--delete-older-than 30d";
    };
  };
}