{ zentralwerk, config, pkgs, lib, ... }:

{
  imports = [
    ./hydra.nix
    ./cache.nix
    ./updater.nix
  ];

  nixpkgs.config.allowUnfree = true;

  security.pam.enableSSHAgentAuth = true;

  services.openssh = {
    enable = true;
    passwordAuthentication = false;
  };

  programs.mosh.enable = true;

  nix = {
    useSandbox = false;
    maxJobs = 4;
    buildCores = 20;
    gc = {
      automatic = true;
      dates = lib.mkForce "06:00";
      options = "--delete-older-than 14d";
    };
    sshServe.enable = true;
    trustedUsers = [ "@wheel" ];
  };

  boot = {
    tmpOnTmpfs = true;
    # For cross-building
    binfmt.emulatedSystems = [ "aarch64-linux" ];
  };

  fileSystems."/" = {
    fsType = "rootfs";
    device = "rootfs";
  };

  networking = {
    hostName = "hydra";
    firewall.enable = false;
    defaultGateway = "172.20.73.1";
    interfaces.eth0.ipv4.addresses = [{
      address = "172.20.73.49";
      prefixLength = zentralwerk.lib.config.site.net.serv.subnet4Len;
    }];
  };

  nixpkgs.config.packageOverrides = pkgs: {
    # HACK: nix-2.5.1 is broken <https://github.com/NixOS/nix/issues/5728>
    nixUnstable = pkgs.nixUnstable.overrideAttrs (oa: rec {
      version = "2.6${VERSION_SUFFIX}";
      VERSION_SUFFIX = "pre20220107_${pkgs.lib.substring 0 7 src.rev}";
      patches = [];
      src = pkgs.fetchFromGitHub {
        owner = "nixos";
        repo = "nix";
        rev = "fcddaa4b9b22a910a24a513bc05579a12eb1db41";
        sha256 = "1v5z2kc9gard6sqxqi73w37x1jfa9ja04svkwr9f1dfj3vl3xygp";
      };
    });
  };


  # This value determines the NixOS release with which your system is to be
  # compatible, in order to avoid breaking some software such as database
  # servers. You should change this only after NixOS release notes say you
  # should.
  system.stateVersion = "21.11"; # Did you read the comment?
}