{ pkgs, ... }:
rec {
  networking.firewall.allowedTCPPorts = [ 80 443 ];

  services.caddy = {
    enable = true;
    enableReload = true;
    email = "admin@pimeys.pm";
  };

  services.postgresql.enable = true;

  virtualisation.podman = {
    enable = true;
    autoPrune.enable = true;
    dockerCompat = true;
    defaultNetwork.settings = {
      # Required for container networking to be able to use names.
      dns_enabled = true;
    };
  };

  virtualisation.oci-containers.backend = "podman";

  networking.firewall = {
    trustedInterfaces = [ "podman1" ];
    interfaces.podman1.allowedUDPPorts = [ 53 ];
  };

  imports = [
    ../../modules/services/vaultwarden.nix
    ../../modules/services/immich.nix
    ../../modules/services/syncthing.nix
    ../../modules/services/invidious.nix
    ../../modules/services/grafana.nix
    ../../modules/services/gtrackmap.nix
    ../../modules/services/owncast.nix
    ../../modules/services/hydra.nix
    ../../modules/services/wireguard.nix
  ];

  services.immich = {
    enable = true;
    fqdn = "img.freun.dev";
    data_dir = fileSystems.immich_data.mountPoint;
    secrets = "/var/secrets/immich";
  };

  fileSystems.immich_data = {
    mountPoint = "/mnt/storage/immich";
    device = "//u407959.your-storagebox.de/backup/immich";
    fsType = "cifs";
    options =
      let
        # this line prevents hanging on network split
        automount_opts = "x-systemd.automount,auto,x-systemd.device-timeout=5s,x-systemd.mount-timeout=5s";

      in
      [ "${automount_opts},credentials=/var/secrets/smb-storage" ];
  };

  environment.systemPackages = [ pkgs.cifs-utils ];
}