{ modulesPath, pkgs, lib, inputs, config, ... }: {
  imports = [
    (modulesPath + "/virtualisation/proxmox-lxc.nix")
    inputs.sops-nix.nixosModules.sops
  ];

  # set up secret key
  sops = {
    age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
    defaultSopsFile = ../secrets/all/secrets.yaml;
    secrets.initial_password_clara = {
      neededForUsers = true;
    };
  };

  time.timeZone = "Europe/Berlin";

  # we want at least a possibility to download stuff, monitor activity and sudo
  environment.systemPackages = with pkgs; [
    wget
    htop
    sudo
    mtr
    nettools
    tcpdump
  ];

  # because getting a nix shell is super annoying otherwise
  nix.settings.experimental-features = [
    "nix-command"
    "flakes"
  ];

  # zsh because I like it :3
  programs.zsh.enable = true;

  # default user with sudo
  users.users.clara = {
    isNormalUser = true;
    hashedPasswordFile = config.sops.secrets.initial_password_clara.path;
    extraGroups = [ "sudo" "wheel" ];
    shell = pkgs.zsh;
    openssh.authorizedKeys.keys = [
      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC45xdNbidyqMV7CFxhObUFSuKKjDTE1+wCJFX8GC5uoV/dYmzNKxG5l8oMEQn6wVrWvOYNbuy4hsOxhBoVa9Y7YlgGZaStKPkjerafi4YUvQ5U2f5oztConmD1EHASOalDviHt+5HevokQDtZimx2sUYgz5lN/DtYzgsNgFueUt96iQEQ7zUDtSC5BiZ13lasyNcVQK1XuP9aqeoa11ce2CcDg3LMJ5tXn+yxRlN9v5R1Mkt028mqwLr8d/uAUbcgUo7j+ommrXoK6+/3n2SoAiTIp3UZPMOjMEMQUuSVBAjhycVoMM1hzGSoUsfXk0GZTDZQdvIBrjsIyysdsEtNWiu51F9OnX07YqEh9KEX1i7KK7U30MAl172Nf85egP/oRRUmZOm9JPEW8rlTbnQYSGvtDsFEcwzfvZODQW+Knb/n02RkHTyXVRgTkEdhavgSnSXeTJB8zn+OVpwYj1EQ1v+x9H9DDALAWj3ac61WAKk+SAa/1WjQNDt+bFQ/ehxkMTeLnaak+fWJO/pqwSrevJtlCC+5FbzSwlLOiqevOg97ciu1ESeYPYnTwU0rFSAh4ZEP7CbSg2vmniZNF3kbeZrw3a5ZlnFU29cPs0b5t8A3txGFQi1W1zK2Y2oFZqcm7u+WntH9Aq69g1vEPWT7yH4kK1Y5HumpPsP1II38evw== cardno:11_075_348"
    ];
  };

  users.motd = ''
    ##################################
    Logged in to: ${config.networking.hostName}
    ##################################
  '';

  # localization stuff
  console.keyMap = "de";
  i18n.defaultLocale = "en_US.UTF-8";
  i18n.extraLocaleSettings = {
    LC_ADDRESS = "de_DE.UTF-8";
    LC_IDENTIFICATION = "de_DE.UTF-8";
    LC_MEASUREMENT = "de_DE.UTF-8";
    LC_MONETARY = "de_DE.UTF-8";
    LC_NAME = "de_DE.UTF-8";
    LC_NUMERIC = "de_DE.UTF-8";
    LC_PAPER = "de_DE.UTF-8";
    LC_TELEPHONE = "de_DE.UTF-8";
    LC_TIME = "de_DE.UTF-8";
  };

  # Enable networking
  networking = {
    networkmanager.enable = true;

    # configure firewall
    firewall = {
      enable = true;
      allowedTCPPorts = [ 22 ];
    };
  };

  # enable ssh access
  services.openssh = {
    enable = true;
    ports = [ 22 ];
    settings = {
      PasswordAuthentication = true;
      AllowUsers = [ "clara" "root" ];
      UseDns = true;
      X11Forwarding = false;
      PermitRootLogin = "prohibit-password"; # "yes", "without-password", "prohibit-password", "forced-commands-only", "no"
    };
  };

  # garbage collection & optimization
  nix.optimise.automatic = true;
  nix.optimise.dates = [ "03:45" ]; # Optional; allows customizing optimisation schedule

  nix.gc = {
    automatic = true;
    dates = "weekly";
    options = "--delete-older-than 30d";
  };

  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions
  # on your system were taken. It‘s perfectly fine and recommended to leave
  # this value at the release version of the first install of this system.
  # Before changing this value read the documentation for this option
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
  system.stateVersion = "24.05"; # Did you read the comment?
}