{ pkgs, lib, stateVersion, hostname, username, ... }: {
  imports = [
    ./${hostname}
    ../users/${username}
    ../common/modules/nixos.nix
    ../common/modules/networking.nix
    # Services
    ../common/services/promtail.nix
    ../common/services/telegraf.nix
    ../common/services/tailscale.nix
    ../common/services/openssh.nix
  ];

  boot.isContainer = true;
  networking.hostName = "${hostname}";
  system.stateVersion = stateVersion;

  # Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
  networking.useHostResolvConf = lib.mkForce false;
  services.resolved.enable = true;

  # Set up the secrets file:
 sops.secrets."tailscale_key" = {
    owner = "root";
    sopsFile = ../../secrets/containers/${hostname}.yaml;
    restartUnits = [ 
      "tailscaled.service"
      "tailscaled-autoconnect.service" 
    ];
  };

  services.tailscale.authKeyFile = "/run/secrets/tailscale_key";
  systemd.services.tailscaled.enable = lib.mkForce false;

  services.tailscale = {
    enable = true;
    interfaceName = "tailscale0-${hostname}";
    extraUpFlags = [
      "--login-server=https://headscale.sysctl.io"
      "--accept-dns"
      "--accept-routes"
    ];
  };
 
  systemd.services = {
    "tailscaled-custom" = {
      enable = true;
      path = [ pkgs.tailscale ];
      script = ''tailscaled -no-logs-no-support -tun=userspace'';
      after = [ "network.target" ];
      wantedBy = [ "tailscaled-autoconnect.service" ];
      serviceConfig.Restart = "on-failure";
      serviceConfig.Type = "oneshot";
      serviceConfig.User = "root";
      serviceConfig.Group = "wheel";
    };
  };
}