{
  inputs,
  lib,
  config,
  pkgs,
  ...
}:
let
  ngx_http_geoip2_module = pkgs.stdenv.mkDerivation {
    name = "ngx_http_geoip2_module-a28ceff";
    src = pkgs.fetchgit {
      url = "https://github.com/leev/ngx_http_geoip2_module";
      rev = "445df24ef3781e488cee3dfe8a1e111997fc1dfe";
      sha256 = "1h2xkxpb2nk4r3pkbzgas5rbl95i59jpa59rh94x2hyzxmzrzvv8";
    };
    installPhase = ''
      mkdir $out
      cp *.c config $out/
    '';
    fixupPhase = "";
  };
in
{
  system.stateVersion = "23.11";

  # BOOT
  boot.loader.systemd-boot.enable = true;

  # PROXMOX
  services.qemuGuest.enable = true;
  services.cloud-init = {
    enable = true;
    network.enable = true;
  };
  environment.etc."cloud/cloud.cfg.d/99_pve.cfg".text = ''
    datasource_list: [ NoCloud, ConfigDrive ]
  '';

  # USER MANAGEMENT
  # TODO: Should this be in cloud-init?
  security.sudo.wheelNeedsPassword = false;
  nix.settings.trusted-users = [ "nixos" ];
  users.users.nixos = {
    isNormalUser = true;
    password = "hunter2";
    extraGroups = [ "wheel" ];
    openssh.authorizedKeys.keys = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICXAlzwziqfUUb2qmFwNF/nrBYc5MNT1MMOx81ohBmB+ tine@little.sys.tjo.space"
    ];
  };

  # SSH
  services.openssh = {
    enable = true;
    settings.PasswordAuthentication = false;
    settings.KbdInteractiveAuthentication = false;
    settings.PermitRootLogin = "no";
  };

  # TAILSCALE
  services.tailscale = {
    enable = true;
  };

  # FIREWALL
  networking.useNetworkd = true;
  networking.firewall = {
    enable = true;

    trustedInterfaces = [ "tailscale0" ];

    allowedUDPPorts = [ config.services.tailscale.port ];
    allowedTCPPorts = [
      22
      80
      443
    ];
  };

  # NGINX
  services.nginx = {
    enable = true;
    package = pkgs.nginx.overrideAttrs (oldAttrs: {
      configureFlags = oldAttrs.configureFlags ++ [ "--add-module=${ngx_http_geoip2_module}" ];
      buildInputs = oldAttrs.buildInputs ++ [ pkgs.libmaxminddb ];
    });
  };

  # WEBHOOK
  # TODO: we will have multiple instances of these,
  #       should they somehow broadcast changes to eachother?
  # Should this be a GO service instead? With some raft mechanism?
  # At that point, we could also switch from nginx to envoy or something...
  services.webhook = {
    enable = true;
    port = 9000;
    hooks = {
      test = {
        execute-command = "echo 'test'";
      };
    };
  };

  environment.systemPackages = [ pkgs.nginx ];
}