{
  config,
  pkgs,
  lib,
  ...
}: let
  mkVHost = baseUrl: {
    service,
    port,
  }: {
    name = "${service}.${baseUrl}";
    value = {
      listenAddresses = ["100.91.249.54"];
      extraConfig = ''
        tls {
        	dns porkbun {
        		api_key {env.PORKBUN_API_KEY}
        		api_secret_key {env.PORKBUN_SECRET_KEY}
        	}
        }

         reverse_proxy localhost:${builtins.toString port}
      '';
    };
  };

  mkVHosts = baseUrl: hosts: builtins.listToAttrs (builtins.map (mkVHost baseUrl) hosts);
in {
  imports = [
    ../common
    ./hardware-configuration.nix

    (import ../../modules).bigding

    ./tmux.nix
  ];

  # Force disable the common boot loader
  boot.loader.systemd-boot.enable = lib.mkForce false;
  boot.loader.efi.canTouchEfiVariables = lib.mkForce false;

  # Use the GRUB 2 boot loader.
  boot.loader.grub.enable = true;
  boot.loader.grub.device = "/dev/sda"; # or "nodev" for efi only

  networking = {
    hostName = "bigding";
    interfaces.ens3.useDHCP = true;

    firewall = {
      allowedTCPPorts = [80 8448 443];
      allowedTCPPortRanges = [
        {
          from = 12500;
          to = 12515;
        }
      ];
      allowedUDPPortRanges = [
        {
          from = 12500;
          to = 12515;
        }
      ];
      interfaces = {
        "tailscale0" = {
          allowedUDPPorts = [41641];
        };
      };
    };
  };

  services.tailscale.permitCertUid = "caddy";

  services.syncthing = {
    settings = {
      gui = {
        insecureSkipHostcheck = true;
      };
    };
    guiAddress = "localhost:8387";
  };

  users.groups."media".name = "media";

  age.secrets = {
    caddy_porkbun_api_env.file = ../../secrets/caddy_porkbun_api_env.age;
  };

  services.sabnzbd = {
    enable = true;
    group = "media";
  };

  services.radarr = {
    enable = true;
    group = "media";
  };

  services.caddy = {
    enable = true;
    enableReload = false;
    environmentFile = config.age.secrets.caddy_porkbun_api_env.path;
    package = pkgs.caddy.withPlugins {
      plugins = ["github.com/caddy-dns/porkbun@v0.2.1"];
      hash = "sha256-X8QbRc2ahW1B5niV8i3sbfpe1OPYoaQ4LwbfeaWvfjg=";
    };
    logFormat = "level INFO";
    virtualHosts =
      (mkVHosts "broccoli.town" [
        {
          service = "radarr";
          port = 7878;
        }
        {
          service = "sonarr";
          port = 8989;
        }
        {
          service = "sab";
          port = 8085;
        }
        {
          service = "transmission";
          port = 9091;
        }
      ])
      // {
        "danielpatterson.dev" = {
          extraConfig = ''
            header {
            	proof proven.lol/de4a14
            }
            root * /srv/site/danielpatterson.dev
            encode zstd gzip
            file_server
          '';
        };
        "movies.danielpatterson.dev" = {
          extraConfig = ''
            reverse_proxy localhost:8096
          '';
        };
        "git.broccoli.town" = {
          extraConfig = ''
            reverse_proxy localhost:3030
          '';
        };
      };
  };

  # containers.radarr = {
  #   autoStart = false;
  #   bindMounts = {
  #     "/data" = {
  #       hostPath = "/var/media";
  #       mountPoint = "/data";
  #       isReadOnly = false;
  #     };
  #   };
  #   forwardPorts = [
  #     {
  #       containerPort = 7878;
  #       hostPort = 7979;
  #     }
  #   ];
  #   config = {config, pkgs, lib, ...}: {
  #     services.radarr = {
  #       enable = true;
  #     };
  #   };
  # };

  services.sonarr = {
    enable = true;
    group = "media";
  };

  services.prowlarr = {
    enable = true;
  };

  environment.systemPackages = with pkgs; [
    helix
    kitty # For terminfo
    lazygit
  ];

  system.stateVersion = "21.11"; # Did you read the comment?
}