{
  lib,
  config,
  inputs,
  pkgs,
  ...
}:
let
  inherit (config.networking) domain;
in
{
  imports = [ ./hardware-configuration.nix ];

  boot = {
    kernelPackages = pkgs.linuxPackages_latest;
  };

  networking.firewall.allowedTCPPorts = [
    80
    443
  ];
  networking.hostName = "grimmauld-nixos-server";
  networking.domain = "grimmauld.de";
  services.openssh.enable = true;
  system.stateVersion = "23.11";
  # networking.networkmanager.enable = lib.mkForce false;

  services.nginx = {
    # package = pkgs.nginxStable.override { openssl = pkgs.libressl; };
    enable = true;
    recommendedGzipSettings = true;
    recommendedOptimisation = true;
    recommendedProxySettings = true;
    recommendedTlsSettings = true;
    sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";

    virtualHosts."${domain}" = {
      forceSSL = true;
      enableACME = lib.mkForce false; # use the correct cert, not some weird one that matrix-synapse module supplies
      useACMEHost = domain;
      locations."/" = {
        root = "/var/www/${domain}";
      };
    };
  };

  #  users.users.root.openssh.authorizedKeys.keys = (import ./authorizedKeys.nix);
}