{
  adminUser,
  config,
  lib,
  modulesPath,
  self,
  ...
}:
{
  age = {
    secrets = {
      wireguard = {
        file = "${self}/secrets/do/wireguard.age";
      };
    };
  };

  imports = [
    (modulesPath + "/profiles/qemu-guest.nix")
    (modulesPath + "/virtualisation/digital-ocean-config.nix")
    "${self}/profiles/home-manager.nix"
    "${self}/profiles/admin-user/user.nix"
    "${self}/profiles/admin-user/home-manager.nix"
    "${self}/profiles/disk/vm.nix"
    "${self}/profiles/server.nix"
  ];

  disko.devices.disk.disk1.device = "/dev/vda";

  # do not use DHCP, as DigitalOcean provisions IPs using cloud-init
  networking.useDHCP = lib.mkForce false;

  networking.hostName = "do-jump";

  boot.loader.grub = {
    efiSupport = true;
    efiInstallAsRemovable = true;
  };

  home-manager.users.${adminUser.name} = {
    imports = [
      "${self}/home/profiles/minimal.nix"
    ];
  };

  # this one seems to always be broken
  systemd.services.growpart.enable = false;

  # in order to get networking setup we need to enable it in cloud-init
  # Disables all modules that do not work with NixOS
  # Based on https://github.com/nix-community/nixos-anywhere-examples/blob/7f945ff0ae676c0eb77360b892add91328dd1f17/digitalocean.nix
  services.cloud-init = {
    enable = true;
    network.enable = true;
    settings = {
      datasource_list = [
        "ConfigDrive"
        "Digitalocean"
      ];
      datasource.ConfigDrive = { };
      datasource.Digitalocean = { };
      # Based on https://github.com/canonical/cloud-init/blob/main/config/cloud.cfg.tmpl
      cloud_init_modules = [
        "seed_random"
        "bootcmd"
        "write_files"
        "growpart"
        "resizefs"
        "set_hostname"
        "update_hostname"
        "set_password"
      ];
      cloud_config_modules = [
        "ssh-import-id"
        "keyboard"
        "runcmd"
        "disable_ec2_metadata"
      ];
      cloud_final_modules = [
        "write_files_deferred"
        "puppet"
        "chef"
        "ansible"
        "mcollective"
        "salt_minion"
        "reset_rmc"
        "scripts_per_once"
        "scripts_per_boot"
        "scripts_user"
        "ssh_authkey_fingerprints"
        "keys_to_console"
        "install_hotplug"
        "phone_home"
        "final_message"
      ];
    };
  };

  networking.wireguard = {
    enable = true;
    interfaces.wg0 = {
      ips = [ "10.100.0.50/32" ];
      listenPort = 51871;
      privateKeyFile = config.age.secrets.wireguard.path;
      peers = [
        {
          publicKey = "bJZyQoemudGJQox8Iegebm23c4BNVIxRPy1kmI2l904=";
          allowedIPs = [ "10.100.0.0/24" ];
          persistentKeepalive = 25;
        }
      ];
    };
  };

  networking.firewall.trustedInterfaces = [ "wg0" ];
  networking.firewall.allowedUDPPorts = [ 51871 ];

  system.stateVersion = "25.05"; # Did you read the comment?
}