{ hostname, config, lib, modulesPath, ... }: 
let 
  ipAddress = "192.168.1.35";
  gateway = "192.168.1.1";
  netDev  = "eno1";
in {
  imports = [ 
    (modulesPath + "/installer/scan/not-detected.nix")
    ( import ../../common/services/syncthing/pictures.nix { path = "/Storage/Media/Pictures/RAW"; })
    ../../common/services/tailscale-autoconnect.nix
    ../../common/modules/secureboot.nix
    ../../common/modules/ssh-luks.nix
    ../../common/services/docker.nix
    ../../common/services/forgejo-runner.nix
    ../../common/services/syncthing/default.nix
    ./disks.nix
    ./mounts.nix
    ./cron.nix
    ./firewall.nix
    ./containers.nix
  ];

  boot.kernelParams = [ "ip=${ipAddress}::${gateway}:255.255.255.0:${hostname}:${netDev}:none" ];
  networking = {
    useDHCP = false;
    nameservers = [ "9.9.9.9" ];
    interfaces.${netDev} = {
      ipv4.addresses = [{
        address = ipAddress;
        prefixLength = 24;
      }];
    };
    defaultGateway = gateway;
};

  # Allow root login, but only with SSH keys
  services.openssh.settings.PermitRootLogin = lib.mkForce "prohibit-password";
 # backups-rpi4:   Backups 
 # warsaw-ovh-01:  Backups 
  users.users.root.openssh.authorizedKeys.keys = [ 
    ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKp2wgqFcr0LGaUXbom88/zK2631pysePUWIaCMljT0K root@backups-rpi4'' 
    ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcGPkzFaSGd1q/oy/uP5zEoOuPNr1h17ifu7oj4DaYO root@warsaw-ovh-01''
  ];

  boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "thunderbolt" "sd_mod" "uas" ];
  boot.initrd.kernelModules = [ "r8152" ];
  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = with config.boot.kernelPackages; [ acpi_call ];

  powerManagement.cpuFreqGovernor = lib.mkDefault "performance";
  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;

  # Set your time zone.
  time.timeZone = "America/Los_Angeles";

  # Set the networking hostname:
  networking.hostName = hostname;

  # NOTE:  This is allowed because it's on a secure network 
  #        and I may sometimes need to remotely troubleshoot.
  networking.firewall.allowedTCPPorts = [ 22 ];

  services.tailscale.extraUpFlags = [ 
    "--advertise-exit-node"
    "--accept-routes=false" # NOTE:  For some reason having this enabled causes the Synology to fail to connect.
    "--advertise-routes=192.168.1.31/32,192.168.1.32/32,192.168.1.33/32,192.168.1.34/32,192.168.1.0/24" 
  ];
}