{ config, lib, pkgs, modulesPath, desktop, username, ... }: {
  imports = [ 
    ./disks.nix
  ];
  nixpkgs.config.allowUnfree = false;

  boot.initrd.availableKernelModules = [ "ata_piix" "ohci_pci" "virtio_pci" "virtio_blk" "sr_mod" ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ ];
  boot.extraModulePackages = [ ];
  virtualisation.hypervGuest.enable = true;

  networking.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
  time.timeZone = "Asia/Tokyo";
  networking.hostName = "osaka-vultr-01";
  
  networking.firewall.allowedTCPPorts = [ 22 ];
  networking.firewall.allowedUDPPorts = [ 51820 ];

  # Set up the secrets file:
  sops.secrets."wireguard_keys/osaka-vultr-01" = {
    owner = "root";
    sopsFile = ../../../secrets/wireguard.yaml;
  };
  sops.secrets."wireguard_keys/preshared_key" = {
    owner = "root";
    sopsFile = ../../../secrets/wireguard.yaml;
  };

  # Wireguard Forwarder
  boot.kernel.sysctl = { "net.ipv4.ip_forward" = true; };
  networking.wireguard = {
    enable = true;
    interfaces = {
      "wireguard0" = {
        ips = [ "10.100.0.1/24" ];
        listenPort = 51820;
        postSetup    = ''${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eno3 -j MASQUERADE'';
        postShutdown = ''${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o eno3 -j MASQUERADE'';
        privateKeyFile = "/run/secrets/wireguard_keys/osaka-vultr-01";
        # Testing
        peers = [
          { # nixos-rpi4-01
            publicKey = "trHvfNtQ7HKMiJjxEXo2Iubq5G6egjx7gHiBlDmJ5Ek=";
            allowedIPs = [ "10.100.0.2/32" ];
            persistentKeepalive = 5;
            presharedKeyFile = "/run/secrets/wireguard_keys/preshared_key";
          }
        ];
      };
    };
  };
}