{ modulesPath, nixosModules, agenix, lib, pkgs, config, ... }: {
  imports = [
    "${modulesPath}/virtualisation/amazon-image.nix"
    nixosModules.nano
    nixosModules.nettika
    nixosModules.promptmoji
    agenix.nixosModules.default
  ];

  boot.loader.grub.device = lib.mkForce "/dev/nvme0n1";

  nix = {
    gc = {
      automatic = true;
      dates = "weekly";
      options = "--delete-older-than 30d";
    };
    settings = {
      trusted-users = [ "@wheel" ];
      experimental-features = [ "nix-command" "flakes" ];
    };
  };

  networking = {
    hostName = "astral";
    firewall.allowedTCPPorts = [ 80 443 ];
  };

  age.secrets.vaultwarden-env.file = ./secrets/vaultwarden-env.age;

  users.defaultUserShell = pkgs.fish;

  security.sudo.wheelNeedsPassword = false;

  services.caddy = {
    enable = true;
    virtualHosts = {
      "astral.leaf.ninja".extraConfig = ''
        respond "astral is online"
        header Strict-Transport-Security: "max-age=63072000; includeSubDomains"
      '';
      "vault.leaf.ninja".extraConfig = ''
        reverse_proxy localhost:8222
      '';
    };
  };

  services.vaultwarden = {
    enable = true;
    config = {
      domain = "https://vault.leaf.ninja";
      signupsAllowed = false;
      rocketAddress = "0.0.0.0";
      rocketPort = 8222;
      smtpHost = "smtp.migadu.com";
      smtpFrom = "vaultwarden@leaf.ninja";
      smtpPort = 587;
      smtpSecurity = "starttls";
      smtpUsername = "vaultwarden@leaf.ninja";
    };
    environmentFile = config.age.secrets.vaultwarden-env.path;
  };

  programs.fish.enable = true;

  documentation.man.generateCaches = false;

  promptSymbol = "👻";

  time.timeZone = "America/Los_Angeles";

  system.stateVersion = "23.05";
}