{ pkgs, lib, config, name, pretense, quotdd, ... }: {
  deployment.targetHost = "${config.networking.hostName}.infra.noratrieb.dev";

  imports = [
    "${builtins.fetchTarball "https://github.com/ryantm/agenix/archive/de96bd907d5fbc3b14fc33ad37d1b9a3cb15edc6.tar.gz"}/modules/age.nix" # main 2024-07-26
  ];

  environment.systemPackages = with pkgs; [
    vim
    wget
    curl
    traceroute
    dnsutils
    nftables
  ];

  networking.hostName = name;

  time.timeZone = "Europe/Zurich";
  users.users.root.openssh.authorizedKeys.keys = [ ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG0n1ikUG9rYqobh7WpAyXrqZqxQoQ2zNJrFPj12gTpP nilsh@PC-Nils'' ];

  boot.tmp.cleanOnBoot = true;
  zramSwap.enable = true;

  services.openssh = {
    enable = true;
    openFirewall = true;
    banner = "meoooooow!! 😼 :3\n";
    settings = {
      PasswordAuthentication = false;
    };
  };
  services.fail2ban = {
    enable = true;
  };
  system.nixos.distroName = "NixOS (gay 🏳️‍⚧️)";

  systemd.services.pretense = {
    description = "pretense connection logger";
    wantedBy = [ "multi-user.target" ];
    after = [ "network.target" ];
    serviceConfig = {
      DynamicUser = true;
      ExecStart = "${lib.getExe (pretense {inherit pkgs;})}";
      AmbientCapabilities = "CAP_NET_BIND_SERVICE";
      Environment = [
        "PRETENSE_PORTS=23,3306,5432,1521" # telnet,mysql,postgres,oracle
        "PRETENSE_METRICS_PORT=9150"
      ];
    };
  };
  systemd.services.quotdd = {
    description = "quotdd Quote of The Day Daemon";
    wantedBy = [ "multi-user.target" ];
    after = [ "network.target" ];
    serviceConfig = {
      DynamicUser = true;
      ExecStart = "${lib.getExe (quotdd {inherit pkgs;})}";
      AmbientCapabilities = "CAP_NET_BIND_SERVICE";
      Environment = [ ];
    };
  };
  networking.firewall.allowedTCPPorts = [
    23 # telnet, pretense
    3306 # mysql, pretense
    5432 # postgres, pretense
    1521 # oracle, pretense
    17 # quote of the day, quotdd
  ];

  # monitoring

  networking.firewall.interfaces.wg0.allowedTCPPorts = [
    9100 # node exporter
    9150 # pretense exporter
  ];
  services.prometheus.exporters = {
    node = {
      enable = true;
    };
  };
  services.promtail = {
    enable = true;
    configuration = {
      server = {
        disable = true;
      };
      clients = [
        {
          url = "http://vps3.local:3100/loki/api/v1/push";
        }
      ];
      scrape_configs = [
        {
          job_name = "journal";
          journal = {
            max_age = "24h";
            labels = {
              job = "systemd-journal";
              node = name;
            };
          };
          relabel_configs = [
            {
              source_labels = [ "__journal__systemd_unit" ];
              target_label = "unit";
            }
            {
              source_labels = [ "__journal__hostname" ];
              target_label = "host";
            }
            {
              source_labels = [ "__journal_priority_keyword" ];
              target_label = "severity";
              regex = "(.+)";
            }
          ];
        }
      ];
    };
  };
}