{ config, lib, pkgs, modulesPath, desktop, username, ... }: {
  imports = [ 
    (modulesPath + "/profiles/qemu-guest.nix")
    ./firewall.nix
    ./wireguard.nix
  ];

  boot.initrd.availableKernelModules = [ "virtio_pci" "virtio_scsi" "ahci" "sd_mod" ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ ];
  boot.extraModulePackages = [ ];

  # Enable LISH
  boot.kernelParams = [ "console=ttyS0,19200n8" ];
  boot.loader.grub.extraConfig = ''
    serial --speed=19200 --unit=0 --word=8 --parity=no --stop=1;
    terminal_input serial;
    terminal_output serial
  '';

  boot.loader.grub.forceInstall = true;
  boot.loader.grub.device = "nodev";
  boot.loader.timeout = 10;

  fileSystems."/" = { 
      device = "/dev/disk/by-label/nixos";
      fsType = "ext4";
    };

  swapDevices = [ { device = "/dev/disk/by-label/linode-swap"; } ];
  
  # Distributed Builds
  nix.distributedBuilds = true;
  nixpkgs.config.allowUnfree = false;

  networking.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
  time.timeZone = "Asia/Tokyo";
  networking.hostName = "osaka-linode-01";
  
  # networking.firewall.allowedTCPPorts = [ 22 ];

  # Generic Tailscale configs are in /nixos/common/services/tailscale.nix  
  # Set up the secrets file:
  sops.secrets."tailscale_keys/osaka-linode-01" = {
    owner = "root";
    sopsFile = ../../../secrets/tailscale.yaml;
    restartUnits = [ 
      "tailscaled.service"
      "tailscaled-autoconnect.service" 
    ];
  };
  services.tailscale.authKeyFile = "/run/secrets/tailscale_keys/osaka-linode-01";
  services.tailscale.extraUpFlags = [ "--advertise-exit-node" ];
}