{
  pkgs,
  agenix,
  disko,
  ...
}: {
  imports = [
    ./system.nix
    agenix.nixosModules.default
    disko.nixosModules.disko

    ./404.nix
    ./acme.nix
    ./bitwarden.nix
    ./borg.nix
    ./disk-config.nix
    ./forgejo.nix
    ./msmtp.nix
    ./murmur.nix
    ./nginx.nix
    ./upgrade.nix
    ./weechat.nix
    ./woodpecker.nix

    ../../users/maintainer
  ];

  age.identityPaths = ["/root/.ssh/id_agenix_ed25519"];

  users = {
    mutableUsers = false;
    users.root.hashedPassword = "!";
  };

  environment.systemPackages = with pkgs; [
    git
    htop
    neovim
    tree
  ];

  services = {
    fail2ban.enable = true;
    syncthing.enable = true;
  };

  systemd = {
    services.register-thing = {
      serviceConfig = let
        script = pkgs.writeShellApplication {
          name = "run-thing";
          runtimeInputs = with pkgs; [nix];
          text = "/home/maintainer/register-thing/thing";
        };
      in {
        Type = "oneshot";
        User = "maintainer";
        ExecStart = "${script}/bin/run-thing";
      };
    };

    timers.register-thing = {
      wantedBy = ["timers.target"];
      timerConfig = {
        OnBootSec = "1m";
        OnUnitActiveSec = "1m";
        RandomizedDelaySec = "1m";
        Unit = "register-thing.service";
      };
    };
  };
}