{ config, pkgs, ... }:

{
  system.stateVersion = "24.11";

  networking.hostName = "noisebell";

  # Decrypted at runtime by agenix
  age.secrets.tailscale-auth-key.file = ./secrets/tailscale-auth-key.age;

  age.secrets.api-key.file = ./secrets/api-key.age;
  age.secrets.inbound-api-key.file = ./secrets/inbound-api-key.age;

  services.noisebell = {
    enable = true;
    port = 80;
    endpointUrl = "https://noisebell.extremist.software/webhook";
    apiKeyFile = config.age.secrets.api-key.path;
    inboundApiKeyFile = config.age.secrets.inbound-api-key.path;
  };

  nix.settings.experimental-features = [ "nix-command" "flakes" ];

  services.tailscale = {
    enable = true;
    authKeyFile = config.age.secrets.tailscale-auth-key.path;
  };

  services.openssh.enable = true;

  networking.firewall = {
    trustedInterfaces = [ "tailscale0" ];
    allowedUDPPorts = [ config.services.tailscale.port ];
  };

  users.users.root.openssh.authorizedKeys.keys = [
  ];
}