{
  modulesPath,
  lib,
  pkgs,
  config,
  ...
}:

{
  boot.loader.systemd-boot = {
    enable = true;
    configurationLimit = 10;
  };
  boot.loader.efi.canTouchEfiVariables = true;

  networking.hostName = "ellie-server";
  networking.useNetworkd = true;

  systemd.network.enable = true;

  hardware.graphics = {
    enable = true;
  };
  hardware.nvidia = {
    package = config.boot.kernelPackages.nvidiaPackages.stable;
    modesetting.enable = true;
    open = false;
  };

  services.resolved.enable = true;

  services.openssh = {
    openFirewall = false;
  };

  networking.nftables.enable = true;
  networking.firewall = {
    enable = true;
    allowPing = true;

    checkReversePath = true;
    rejectPackets = true;
    allowedTCPPorts = [ ];
    interfaces."enp34s0".allowedTCPPorts = [ ];
    extraInputRules = ''
      ip saddr 192.168.1.0/24 tcp dport {22, 8096, 8920, 3000, 8282, 9696, 8989, 7878, 80} accept
      tcp dport {22, 8096, 8920, 3000, 8282, 9696, 8989, 7878, 80} drop

      ip saddr 192.168.1.0/24 udp dport 5353 accept
      udp dport 5353 drop
    '';
  };

  users.groups.media = { };
  #users.users.radarr.extraGroups = [ "media" ];
  #users.users.sonarr.extraGroups = [ "media" ];
  #users.users.jellyfin.extraGroups = [ "media" ];

  sops.age.keyFile = "/home/ellie/.config/sops/age/keys.txt";

  environment.systemPackages = with pkgs; [
    git
    vim
    dropbear
    age
    sops
  ];

  system.stateVersion = "25.05";
}