{
  modulesPath,
  repoFlake,
  config,
  ...
}:
let
  disk = "/dev/disk/by-id/ata-INTEL_SSDSC2BW240A4_PHDA435602332403GN";
in
{
  disabledModules = [ ];
  imports = [
    repoFlake.inputs.disko.nixosModules.disko
    repoFlake.inputs.srvos.nixosModules.server
    (modulesPath + "/profiles/all-hardware.nix")

    repoFlake.inputs.srvos.nixosModules.mixins-terminfo
    repoFlake.inputs.srvos.nixosModules.mixins-systemd-boot

    repoFlake.inputs.sops-nix.nixosModules.sops

    ../../profiles/common/user.nix
  ];

  ## bare-metal machines
  srvos.boot.consoles = [ "tty0" ];
  boot.loader.grub.enable = false;
  boot.loader.efi.canTouchEfiVariables = false;

  disko.devices.disk.main = {
    device = disk;
    type = "disk";
    content = {
      type = "table";
      format = "gpt";
      partitions = [
        {
          name = "boot";
          start = "0";
          end = "1M";
          part-type = "primary";
          flags = [ "bios_grub" ];
        }
        {
          name = "ESP";
          start = "1M";
          end = "512M";
          bootable = true;
          content = {
            type = "filesystem";
            format = "vfat";
            mountpoint = "/boot";
          };
        }
        {
          name = "root";
          start = "512M";
          end = "100%";
          part-type = "primary";
          bootable = true;
          content = {
            type = "btrfs";
            extraArgs = [ "-f" ]; # Override existing partition
            subvolumes = {
              # Subvolume name is different from mountpoint
              "/rootfs" = {
                mountpoint = "/";
              };
              "/nix" = {
                mountOptions = [ "noatime" ];
              };
            };
          };
        }
      ];
    };
  };

  hardware.enableAllFirmware = true;
  nixpkgs.config.allowUnfree = true;

  hardware.enableRedistributableFirmware = true;
  hardware.cpu.intel.updateMicrocode = true;

  services.openssh.enable = true;

  systemd.network.enable = true;
  systemd.network.networks."10-lan" = {
    matchConfig.Name = "eth*";
    networkConfig = {
      # enable DHCP for IPv4 *and* IPv6
      DHCP = "yes";

      # accept Router Advertisements for Stateless IPv6 Autoconfiguraton (SLAAC)
      IPv6AcceptRA = true;
    };
  };
  networking.dhcpcd.enable = false;

  networking.firewall.enable = true;
  networking.firewall.allowedTCPPorts = [
    22

    # iperf3
    5201
  ];
  networking.firewall.logRefusedConnections = false;
  networking.usePredictableInterfaceNames = false;

  networking.nat = {
    enable = true;
    internalInterfaces = [ "ve-+" ];
    externalInterface = "eth0";
  };

  # Kubernetes
  # services.kubernetes.roles = ["master" "node"];

  # virtualization
  # virtualisation = {docker.enable = true;};

  nix.gc = {
    automatic = true;
  };

  containers = { };

  # sops.secrets.holochain-nomad-agent-ca = {
  #   sopsFile = ../../../../secrets/holochain-infra/nomad.yaml;
  #   owner = config.users.extraUsers.nomad.name;
  #   group = config.users.groups.nomad.name;
  # };
  # sops.secrets.holochain-global-nomad-client-cert = {
  #   sopsFile = ../../../../secrets/holochain-infra/nomad.yaml;
  #   owner = config.users.extraUsers.nomad.name;
  #   group = config.users.groups.nomad.name;
  # };
  # sops.secrets.holochain-global-client-nomad-key = {
  #   sopsFile = ../../../../secrets/holochain-infra/nomad.yaml;
  #   owner = config.users.extraUsers.nomad.name;
  #   group = config.users.groups.nomad.name;
  # };

  # services.nomad = {
  #   enable = true;
  #   package = packages'.nomad;
  #   enableDocker = false;
  #   dropPrivileges = false;

  #   extraPackages = [
  #     pkgs.coreutils
  #     pkgs.nix
  #     pkgs.bash
  #     pkgs.gitFull
  #     pkgs.cacert
  #   ];

  #   settings = {
  #     server.enabled = false;

  #     client = {
  #       enabled = true;
  #       server_join = {
  #         retry_join = [
  #           "infra.holochain.org"
  #         ];
  #         retry_interval = "60s";
  #       };

  #       node_class = "testing";

  #       meta = {
  #         inherit (pkgs.targetPlatform) system;

  #         features = builtins.concatStringsSep "," [
  #           "poc-1"
  #           "poc-2"
  #           "ipv4-nat"
  #           "nix"
  #           "nixos"
  #           "holoport"
  #         ];

  #         machine_type = "baremetal";
  #       };
  #     };

  #     tls = {
  #       http = true;
  #       rpc = true;
  #       ca_file = config.sops.secrets.holochain-nomad-agent-ca.path;
  #       cert_file = config.sops.secrets.holochain-global-nomad-client-cert.path;
  #       key_file = config.sops.secrets.holochain-global-client-nomad-key.path;

  #       verify_server_hostname = true;
  #       verify_https_client = true;
  #     };

  #     plugin.raw_exec.config.enabled = true;
  #   };
  # };

  # users.extraUsers.nomad.isNormalUser = true;
  # users.extraUsers.nomad.isSystemUser = false;
  # users.extraUsers.nomad.group = "nomad";
  # users.extraUsers.nomad.home = config.services.nomad.settings.data_dir;
  # users.extraUsers.nomad.createHome = true;
  # users.groups.nomad.members = ["nomad"];

  # systemd.services.nomad.serviceConfig.User = "nomad";
  # systemd.services.nomad.serviceConfig.Group = "nomad";

  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions
  # on your system were taken. It‘s perfectly fine and recommended to leave
  # this value at the release version of the first install of this system.
  # Before changing this value read the documentation for this option
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
  system.stateVersion = "23.11"; # Did you read the comment?
}