{ config, pkgs, ... }:

{
  system.stateVersion = "24.11";

  networking.hostName = "noisebell";

  # Enable the noisebell service
  services.noisebell = {
    enable = true;
    endpointUrl = "https://example.com/webhook"; # TODO: set your endpoint
  };

  # Basic system config
  nix.settings.experimental-features = [ "nix-command" "flakes" ];

  # Tailscale
  services.tailscale.enable = true;

  # Caddy reverse proxy — proxies to the noisebell status endpoint
  services.caddy = {
    enable = true;
    virtualHosts.":80".extraConfig = ''
      reverse_proxy localhost:${toString config.services.noisebell.port}
    '';
  };

  services.openssh.enable = true;

  # Only allow traffic from Tailscale interface
  networking.firewall = {
    trustedInterfaces = [ "tailscale0" ];
    allowedUDPPorts = [ config.services.tailscale.port ];
  };

  users.users.root.openssh.authorizedKeys.keys = [
    # TODO: add your SSH public key
  ];
}