{
  inputs,
  lib,
  config,
  pkgs,
  ...
}:
let
  ngx_http_geoip2_module = pkgs.stdenv.mkDerivation {
    name = "ngx_http_geoip2_module-a28ceff";
    src = pkgs.fetchgit {
      url = "https://github.com/leev/ngx_http_geoip2_module";
      rev = "445df24ef3781e488cee3dfe8a1e111997fc1dfe";
      sha256 = "1h2xkxpb2nk4r3pkbzgas5rbl95i59jpa59rh94x2hyzxmzrzvv8";
    };
    installPhase = ''
      mkdir $out
      cp *.c config $out/
    '';
    fixupPhase = "";
  };
  instance = builtins.fromJSON (builtins.readFile "/etc/tjo.cloud/meta.json");

  base_configuration = pkgs.fetchurl {
    url = "";
    sha256 = "";
  };
in
{
  system.stateVersion = "24.05";

  # FIXME: Also import the pre-defined generator config.
  imports = [
    base_configuration
  ];

  nix.nixPath = [ "nixos-config=/etc/tjo.cloud/configuration.nix" ];

  # NETWORK
  networking.hostName = instance.name;
  networking.domain = instance.domain;

  # USER MANAGEMENT
  security.sudo.wheelNeedsPassword = false;
  nix.settings.trusted-users = [ "nixos" ];
  users.users.nixos = {
    isNormalUser = true;
    password = "hunter2";
    extraGroups = [ "wheel" ];
    openssh.authorizedKeys.keys = instance.ssh_keys;
  };

  # SSH
  services.openssh = {
    enable = true;
    settings.PasswordAuthentication = false;
    settings.KbdInteractiveAuthentication = false;
    settings.PermitRootLogin = "no";
  };

  # TAILSCALE
  services.tailscale = {
    enable = true;
    authKeyFile = "/etc/tjo.cloud/secrets/tailscale.com/authkey";
    extraUpFlags = [
      "--ssh"
      "--accept-routes"
    ];
  };
  systemd.services.qemu-guest-agent.after = [ "tailscaled-autoconnect.service" ];
  systemd.services.qemu-guest-agent.requires = [ "tailscaled-autoconnect.service" ];

  # FIREWALL
  networking.firewall = {
    enable = true;

    trustedInterfaces = [ "tailscale0" ];

    allowedUDPPorts = [ config.services.tailscale.port ];
    allowedTCPPorts = [
      22
      80
      443
    ];
  };

  # NGINX
  services.nginx = {
    enable = true;
    package = pkgs.nginx.overrideAttrs (oldAttrs: {
      configureFlags = oldAttrs.configureFlags ++ [ "--add-module=${ngx_http_geoip2_module}" ];
      buildInputs = oldAttrs.buildInputs ++ [ pkgs.libmaxminddb ];
    });
  };

  # WEBHOOK
  # TODO: we will have multiple instances of these,
  #       should they somehow broadcast changes to eachother?
  # Should this be a GO service instead? With some raft mechanism?
  # At that point, we could also switch from nginx to envoy or something...
  services.webhook = {
    enable = true;
    port = 9000;
    hooks = {
      test = {
        execute-command = "echo 'test'";
      };
    };
  };
}