{
  pkgs,
  lib,
  config,
  nodeName,
  ...
}: let
  keys = import ../../../variables/keys.nix;
  passwords = import ../../../variables/passwords.crypt.nix;
in {
  networking.firewall.enable = true;
  networking.firewall.allowedTCPPorts = [
    # iperf3
    5201
  ];
  networking.firewall.logRefusedConnections = false;

  networking.usePredictableInterfaceNames = false;
  networking.dhcpcd = {
    enable = true;
    persistent = true;
  };

  networking.interfaces.eth0 = {
    useDHCP = true;
    ipv6.addresses = [
      {
        address = "2a02:c206:3010:2066::1";
        prefixLength = 64;
      }
    ];
  };
  networking.defaultGateway6 = {
    address = "fe80::1";
    interface = "eth0";
  };

  networking.nat = {
    enable = true;
    internalInterfaces = ["ve-+"];
    externalInterface = "eth0";
  };

  # Kubernetes
  # services.kubernetes.roles = ["master" "node"];

  # virtualization
  virtualisation = {docker.enable = true;};

  services.spice-vdagentd.enable = true;
  services.qemuGuest.enable = true;

  systemd.services."sshd-status" = {
    enable = true;
    description = "sshd-status service";
    path = [pkgs.systemd];
    script = ''
      systemctl status sshd | grep -i tasks
    '';
  };

  # systemd.services.sshd.serviceConfig = {TasksMax = 32;};

  # systemd.timers."sshd-status" = {
  #   description = "Timer to trigger sshd-status periodically";
  #   enable = true;
  #   wantedBy = ["timer.target" "multi-user.target"];
  #   timerConfig = {
  #     OnActiveSec = "5s";
  #     OnUnitActiveSec = "5s";
  #     AccuracySec = "1s";
  #     Unit = "sshd-status.service";
  #   };
  # };

  nix.gc = {automatic = true;};

  boot.initrd.network = {
    enable = true;
    udhcpc.extraArgs = ["-x hostname:${config.networking.hostName}"];

    ssh = {
      enable = true;
      authorizedKeys = keys.users.steveej.openssh;
      hostKeys = [
        "/etc/secrets/initrd/ssh_host_rsa_key"
        "/etc/secrets/initrd/ssh_host_ed25519_key"
      ];
    };
  };

  boot.initrd.postMountCommands = ''
    for iface in $(cd /sys/class/net && ls); do
      echo "Bringing down $iface..."
      ip address flush dev $iface
      ip link set $iface down
    done
  '';

  containers = {
    backup = import ../../containers/backup.nix {
      autoStart = false;

      inherit config;
      hostAddress = "192.168.100.16";
      localAddress = "192.168.100.17";
      subvolumes = ["mailserver" "webserver" "backup" "syncthing"];
    };

    bkpTarget = import ../../containers/backup-target.nix {
      autoStart = false;
      hostAddress = "192.168.100.18";
      localAddress = "192.168.100.19";
      containerBackupCfg = passwords.storage.backupTarget;
    };
  };

  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions
  # on your system were taken. It‘s perfectly fine and recommended to leave
  # this value at the release version of the first install of this system.
  # Before changing this value read the documentation for this option
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
  system.stateVersion = "22.05"; # Did you read the comment?
}