{

  system = "x86_64-linux";
  nixpkgsStable = true;

  domain = "infra.zaphyra.eu";

  sshPubKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMrPIC3CoGpLDxsz1kiOXpv7EpNoFEgI6nCNckD69rpJ";

  hardware = {
    cpuVendor = "intel";
    allowHibernation = false;
  };

  networking = {
    ip4IsPrivate = false;
    ip4Address = "194.36.145.49";
    ip4PrefixLength = 22;
    defaultGateway4 = "194.36.144.1";

    ip6IsPrivate = false;
    ip6Address = "2a03:4000:4d:5e::1";
    ip6PrefixLength = 64;
    defaultGateway6 = "fe80::1";
  };

  configuration =
    {
      inputs,
      config,
      lib,
      pkgs,
      ...
    }:
    {

      boot.initrd.systemd.emergencyAccess = true;
      boot.kernel.sysctl."net.ipv6.conf.all.proxy_ndp" = true;

      sops.secrets = {
        wireguardPrivKey = {
          owner = "systemd-network";
          group = "systemd-network";
        };
        "resticEnv/novus" = {
          sopsFile = inputs.self.sopsSecrets.common;
        };
      };

      modules = {
        security.kernel = false;
        filesystem = {
          impermanence.system.enable = true;
          impermanence.home.enable = true;
          rootDisk = {
            enable = true;
            encrypt = true;
            type = "zfs";
            path = "/dev/vda";
            reservedSpace = "500M";
            parts = {
              nix = true;
            };
            swap = {
              enable = true;
              size = "2G";
            };
          };
        };

        presets = {
          base.enable = true;
          netcup.enable = true;
          zaphyra = {
            enable = true;
            syncthing.enable = false;
            dnsServer.enable = true;
          };
        };

        services = {
          resticBackup.targets = {
            novus = {
              repository = "rest:https://restic.novus.infra.zaphyra.eu";
              environmentFile = config.sops.secrets."resticEnv/novus".path;
            };
          };
        };

        websites = {
          "restic.novus.infra.zaphyra.eu".enable = true;
          "flauschehorn.zaphyra.eu".enable = true;
          "ip.zaphyra.eu".enable = true;

          #old fedi-instance
          "ctu.cx".enable = true;
          "fedi.ctu.cx".enable = true;
        };

        users.zaphyra.enable = true;
      };

      networking.firewall = {
        allowedUDPPorts = [
          config.systemd.network.netdevs."20-wg0".wireguardConfig.ListenPort
        ];
        trustedInterfaces = [
          "wg0"
        ];
      };

      systemd.network = {
        config.networkConfig = {
          IPv6Forwarding = true;
        };

        netdevs."20-wg0" = {
          netdevConfig = {
            Kind = "wireguard";
            Name = "wg0";
          };

          wireguardConfig = {
            PrivateKeyFile = config.sops.secrets.wireguardPrivKey.path;
            ListenPort = 51820;
            FirewallMark = 51820;
          };

          wireguardPeers = [
            {
              PublicKey = "nvyhYuWJl/dKyV/2+bDrUisvL3mi38PsNzfdIDDwSjY=";
              AllowedIPs = [ "::/0" ];
              PersistentKeepalive = 10;
            }
          ];
        };

        networks."20-wg0" = {
          name = "wg0";
          routes = [
            {
              Destination = "2a03:4000:4d:5e:acab::/112";
            }
          ];
          linkConfig.RequiredForOnline = false;
        };
      };

      services.ndppd = {
        enable = true;
        proxies.ens3.rules."2a03:4000:4d:5e:acab::/112".method = "static";
      };

      system.stateVersion = "24.11";
      home-manager.users.zaphyra.home.stateVersion = "24.11";
    };

}