{ config, lib, pkgs, ... }:
{
  imports = [
    ./hardware-configuration.nix
    ../../modules
    ../../users/simon

    ./services/ankisyncd.nix
    ./services/dnsmasq.nix
    ./services/drone
    ./services/gitea.nix
    ./services/grafana.nix
    ./services/hedgedoc.nix
    ./services/matrix
    ./services/media.nix
    ./services/prometheus.nix
    ./services/scan.nix
    ./services/torrent.nix
    ./services/wordclock-dimmer.nix
  ];

  sbruder = {
    wireguard.home.enable = true;
    nginx.hardening.enable = true;
    restic.system = {
      enable = true;
      extraPaths = [
        "/data"
      ];
      extraExcludes = [
        "/data/media/video"
        "/data/misc"
        "/data/torrent"
      ];
    };
    unfree.allowSoftware = true;
  };

  services.nginx = {
    enable = true;

    recommendedGzipSettings = true;
    recommendedOptimisation = true;
    recommendedProxySettings = true;
    recommendedTlsSettings = true;

    virtualHosts."fuuko.home.sbruder.de" = {
      enableACME = true;
      forceSSL = true;
    };
  };
  networking.firewall.allowedTCPPorts = [ 80 443 ];
  systemd.services.nginx.serviceConfig.SupplementaryGroups = lib.singleton "keys";

  services.postgresqlBackup = {
    enable = true;
    startAt = [ ]; # triggered by restic system backup
    location = "/data/backup/postgresql";
  };
  systemd.services.restic-backups-system = {
    after = [ "postgresqlBackup.service" ];
    wants = [ "postgresqlBackup.service" ];
  };

  networking.hostName = "fuuko";

  system.stateVersion = "20.09";
}