{
  pkgs,
  lib,
  config,
  inputs,
  ...
}: let
  sopsPath = key: config.sops.secrets.${key}.path;
in {
  imports = [
    inputs.nixos-hardware.nixosModules.common-cpu-intel #-cpu-only
    ../../modules/nginx-reverse-proxy.nix
    ../../hardware/asrock-z370-i3-black-box.nix
    ./modules/forgejo.nix
    ./modules/home-assistant.nix
    ./modules/hydra.nix
    ./modules/komga.nix
    ./modules/mealie.nix
    ./modules/nix-serve.nix
    ./modules/paperless.nix
    ./modules/photoprism.nix
    ./modules/restic.nix
    ./modules/seaweedfs.nix
    ./modules/timetagger.nix
    ./modules/trilium.nix
  ];
  config = {
    networking.hostName = "faunus-ater";
    networking.hostId = "a4d7bec4";
    networking.interfaces.eno1.useDHCP = true;

    # === Make sure ZFS works ===
    # Source: https://nixos.wiki/wiki/ZFS
    boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;

    # === Can't handle this ===
    systemd.enableEmergencyMode = false;

    # === Settings ===
    settings.ssh.openOutsideVPN = true;

    # === ZFS services ===
    services.zfs.trim.enable = true;
    services.zfs.autoScrub.enable = true;
    services.zfs.autoScrub.pools = ["rpool"];

    services.fwupd.enable = true;
    powerManagement = {
      enable = true;
      powertop.enable = true;
      cpuFreqGovernor = "powersave";
    };

    # === PODMAN ===
    virtualisation.oci-containers.backend = "podman";
    virtualisation.podman = {
      enable = true;
      dockerCompat = true;
      extraPackages = with pkgs; [zfs];
    };
    # Override storage driver
    virtualisation.containers.storage.settings = {
      storage = {
        driver = "zfs";
        graphroot = "/var/lib/containers/storage";
        runroot = "/run/containers/storage";
      };
    };

    hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;

    # === BACKUPS ===
    services.restic.backups = {
      # Make sure my 'active IO' disk get's saved once a day
      zdirty = {
        initialize = true;
        repository = "/data/archive/dirty.bak";
        timerConfig.OnCalendar = "daily";
        paths = lib.singleton "/data/dirty";
        pruneOpts = [
          "--keep-daily 1"
          "--keep-weekly 1"
          "--keep-monthly 1"
          "--keep-yearly 5"
        ];
        passwordFile = sopsPath "internal-restic-password";
      };
    };

    # === RUNTIME SECRETS ===
    sops.defaultSopsFile = ../../secrets/hosts/faunus-ater/secrets.yaml;
    sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
    sops.secrets = {
      "internal-restic-password" = {};
    };

    # === SERVICE EXPOSURE ===
    # All services that run here, that should be exposed need to be exposed on the VPN
    networking.firewall.interfaces.${config.services.tailscale.interfaceName}.allowedTCPPorts = let
      selectPort = _: config: config.port;
      filterRunningHereAndExposed = lib.attrsets.filterAttrs (_: conf: conf.host == config.networking.hostName && conf ? external && conf.external);
    in
      lib.attrsets.mapAttrsToList selectPort (filterRunningHereAndExposed config.state.services);

    # This value determines the NixOS release from which the default
    # settings for stateful data, like file locations and database versions
    # on your system were taken. It‘s perfectly fine and recommended to leave
    # this value at the release version of the first install of this system.
    # Before changing this value read the documentation for this option
    # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
    system.stateVersion = "22.05"; # Did you read the comment?
  };
}