{ pkgs, modulesPath, config, options, inputs, ... }:

{
  imports = [
    (modulesPath + "/virtualisation/proxmox-lxc.nix")

    # for the secrets
    inputs.agenix.nixosModule

    # every sever may need the firewall config stuff
    ../applications/firewall.nix

    # every sever needs to have a dns record
    ../applications/dns.nix

    # every server needs teh ldap client for admins
    ../applications/ldap_client.nix

    # every server will need the config to backup to
    ../applications/restic.nix
  ];

  # flakes are essensial
  nix.settings.experimental-features = [ "nix-command" "flakes" ];

  system.stateVersion = "22.11";

  services.openssh = {
    enable = true;
    settings.PermitRootLogin = "prohibit-password";
  };

  users.users.root = {
    initialHashedPassword = "";

    openssh.authorizedKeys.keys = [
      # no obligation to have name attached to keys

      # Root account
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK6DjXTAxesXpQ65l659iAjzEb6VpRaWKSg4AXxifPw9 Skynet Admin"

      # CI/CD key
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBDvexq/JjsMqL0G5P38klzoOkHs3IRyXYO1luEJuB5R colmena_key"

      # Brendan Golden
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEHNLroAjCVR9Tx382cqdxPZ5KY32r/yoQH1mgsYNqpm Silver_Laptop_WSL_Deb"

      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKjaKI97NY7bki07kxAvo95196NXCaMvI1Dx7dMW05Q1 thenobrainer"
    ];
  };

  # skynet-admin-linux will always be added, individual servers can override the groups option
  services.skynet_ldap_client.enable = true;

  networking = {
    # every sever needs to be accessable over ssh for admin use at least
    firewall.allowedTCPPorts = [22];

    # explisitly stating this is good
    defaultGateway = "193.1.99.65";

    # cannot use our own it seems?
    nameservers = [
      # ns1
      "193.1.99.120"
      # ns2
      "193.1.99.109"
    ];
  };

  # time on vendetta is strangely out of sync
  networking.timeServers = options.networking.timeServers.default ++ [ "ie.pool.ntp.org" ];
  services.ntp.enable = true;

  # use teh above nameservers as the fallback dns
  services.resolved.fallbackDns = config.networking.nameservers;

  environment.systemPackages = [
    # for flakes
    pkgs.git
    # useful tools
    pkgs.ncdu_2
    pkgs.htop
    pkgs.nano
    pkgs.nmap
    pkgs.bind
    pkgs.zip
    pkgs.traceroute
    pkgs.openldap
    pkgs.screen
  ];
}