{ modulesPath, config, lib, ... }: {
  imports = [
    (modulesPath + "/installer/scan/not-detected.nix")
    (modulesPath + "/virtualisation/digital-ocean-config.nix")
    ../common-nixos-config.nix
    ./nginx.nix
    ./sops.nix
    ./dovecot.nix
    ./mail.nix
    ./dkim.nix
    ./sieve.nix
  ];

  options = let
    mkReadOnly = val: lib.options.mkOption { default = val; readOnly = true; };
  in {
    vacu.liam = {
      shel_domains = mkReadOnly [
        "shelvacu.com"
        "dis8.net"
        "mail.dis8.net"
        "jean-luc.org"
        "in.jean-luc.org"
        "vacu.store"
      ];
      julie_domains = mkReadOnly [
        "violingifts.com"
        "theviolincase.com"
        "shop.theviolincase.com"
      ];
      domains = mkReadOnly (config.vacu.liam.shel_domains ++ config.vacu.liam.julie_domains);
      reservedIpLocal = mkReadOnly "10.46.0.7";
    };
  };

  config = {
    system.nixos.tags = [ "host-${config.networking.hostName}" ];
    networking.hostName = "liam";
    networking.domain = "dis8.net";

    # networking.interfaces."ens3".useDHCP = false;
    # from `curl -fsSL http://169.254.169.254/metadata/v1.json | jq '.interfaces.public[0].anchor_ipv4'`
    # {
    #   "ip_address": "10.46.0.7",
    #   "netmask": "255.255.0.0",
    #   "gateway": "10.46.0.1"
    # }

    services.openssh.enable = true;

    virtualisation.digitalOcean.setSshKeys = false;

    users.users.root.openssh.authorizedKeys.keys = config.users.users.shelvacu.openssh.authorizedKeys.keys;

    system.stateVersion = "23.11";
  };
}