{ config, lib, pkgs, modulesPath, desktop, username, ... }: {
  imports = [ 
    (modulesPath + "/profiles/qemu-guest.nix")
    ./firewall.nix
    # ./xinetd.nix
    ./wireguard.nix
  ];

  boot.loader.grub.enable = true;
  boot.loader.grub.device = "/dev/disk/by-label/nixos";

  boot.initrd.availableKernelModules = [ "virtio_pci" "virtio_scsi" "ahci" "sd_mod" ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ ];
  boot.extraModulePackages = [ ];

  fileSystems."/" = { 
      device = "/dev/disk/by-label/nixos";
      fsType = "ext4";
    };

  swapDevices = [ { device = "/dev/disk/by-label/linode-swap"; } ];
  
  # Distributed Builds
  nix.distributedBuilds = true;
  nixpkgs.config.allowUnfree = false;

  networking.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
  time.timeZone = "Asia/Tokyo";
  networking.hostName = "osaka-linode-01";
  
  # networking.firewall.allowedTCPPorts = [ 22 ];

  # Generic Tailscale configs are in /nixos/common/services/tailscale.nix  
  # Set up the secrets file:
  sops.secrets."tailscale_keys/osaka-linode-01" = {
    owner = "root";
    sopsFile = ../../../secrets/tailscale.yaml;
    restartUnits = [ 
      "tailscaled.service"
      "tailscaled-autoconnect.service" 
    ];
  };
  services.tailscale.authKeyFile = "/run/secrets/tailscale_keys/osaka-linode-01";
  services.tailscale.extraUpFlags = [ "--advertise-exit-node" ];
}