{ config, pkgs, lib, modulesPath, ... }:

{
  imports =
    [
      (modulesPath + "/virtualisation/proxmox-lxc.nix")
      ../../base.nix
      ../../common/metrics-exporters.nix

      ./services/flame.nix
      ./services/hedgedoc.nix
      ./services/nginx.nix
      ./services/postgresql.nix
  ];

  # Boot and console is handled by proxmoxLXC.
  boot.loader.systemd-boot.enable = lib.mkForce false; # Enabled in base.nix, forced off here.

  # Override proxmox networking
  proxmoxLXC.manageNetwork = true;
  networking = {
    hostName = "sarek";
    defaultGateway = "192.168.10.1";
    interfaces."eth0".ipv4 = {
      addresses = [
        { address = "192.168.10.181"; prefixLength = 24; }
      ];
    };
    hostId = "15dd36bc";
  };

  sops.defaultSopsFile = ../../secrets/sarek/sarek.yaml;
  virtualisation.docker.enable = true;
  virtualisation.oci-containers.backend = "docker";

  # Undo https://github.com/NixOS/nixpkgs/commit/59e37267556eb917146ca3110ab7c96905b9ffbd to work on unprivileged LXC containers
  system.activationScripts.var = lib.mkForce ''
    # Various log/runtime directories.
    mkdir -p /var/tmp
    chmod 1777 /var/tmp
    # Empty, immutable home directory of many system accounts.
    mkdir -p /var/empty
    # Make sure it's really empty
    ${pkgs.e2fsprogs}/bin/chattr -f -i /var/empty || true
    find /var/empty -mindepth 1 -delete
    chmod 0555 /var/empty
    chown root:root /var/empty
    ${pkgs.e2fsprogs}/bin/chattr -f +i /var/empty || true
  '';
  systemd.tmpfiles.rules = lib.mkForce [];

  system.stateVersion = "23.05";
}