{ username, stateVersion, inputs, config, lib, pkgs, modulesPath, system, ... }: {
  imports = [ 
    inputs.nixos-hardware.nixosModules.framework-13th-gen-intel
    (modulesPath + "/installer/scan/not-detected.nix")
    ../../common/modules/secureboot.nix
    ../../common/modules/udev-rules.nix
    ../../common/services/fwupd.nix
    ../../common/modules/ssh-luks.nix
    ../../common/services/docker.nix
    ../../common/services/tailscale-autoconnect.nix
    ( import ../../containers/rdesktop.nix { desktop = "xfce"; stateVersion = stateVersion; username = username;} )
    ./disks.nix
    ./builder.nix
    ./wireguard.nix
    ./cron.nix
    ./firewall.nix
  ];

    environment.systemPackages =  [
      inputs.deploy-rs.packages.${system}.deploy-rs
      pkgs.distrobox
    ];

  # backups-rpi4 cron job to back up sysctl.io's Docker files
  # osaka-linode-01 cron job to copy certs for the DERP relay
  # milan-linode-01 cron job to copy certs for the DERP relay
  users.users.root.openssh.authorizedKeys.keys = [ 
    ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKp2wgqFcr0LGaUXbom88/zK2631pysePUWIaCMljT0K root@backups-rpi4'' 
    ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKkNFdEcYIrjss1Nz0tU/AX89hUMmxB/Vabvsa7A6E2K root@osaka-linode-01''
    ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIORCrD/ZWXbAfi5eIN8b9dwuvMuPPTgpMiIFh1WagXV2 root@milan-linode-01''
  ];
  services.openssh.settings.PermitRootLogin = lib.mkForce "prohibit-password";

  boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "thunderbolt" "sd_mod" "uas" ];
  boot.initrd.kernelModules = [ "r8152" ];
  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = with config.boot.kernelPackages; [ acpi_call ];

  networking.useDHCP = lib.mkDefault true;
  powerManagement.cpuFreqGovernor = lib.mkDefault "performance";
  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;

  # Set your time zone.
  time.timeZone = "Asia/Tokyo";

  # Set the networking hostname:
  networking.hostName = "framework-server";
  networking.firewall.allowedTCPPorts = [ 22 ];

  services.tailscale.extraUpFlags = [ 
    "--advertise-exit-node" 
    "--advertise-routes=10.2.0.0/24" 
  ];

  boot.kernel.sysctl = { 
    "net.ipv4.ip_forward" = true; 
  };
}