{
  lib,
  adminUser,
  config,
  self,
  ...
}:
{
  imports = [
    ./disks.nix
    ./hardware.nix
    ./secrets.nix
    {
      home-manager.users.${adminUser.name} = {
        imports = [
          ./home.nix
          { home.stateVersion = "25.05"; }
        ];
      };
    }
    "${self}/profiles/programs/home-manager.nix"
    "${self}/profiles/admin-user/user.nix"
    "${self}/profiles/admin-user/home-manager.nix"
    "${self}/profiles/core/boot.nix"
    "${self}/profiles/core/locale.nix"
    "${self}/profiles/core/docs.nix"
    "${self}/profiles/core/ssh.nix"
    "${self}/profiles/core/tools.nix"
    "${self}/profiles/core/security.nix"
    "${self}/profiles/core/users.nix"
    "${self}/profiles/core/motd.nix"
    "${self}/profiles/nix/nix.nix"
    "${self}/profiles/nix/gc.nix"
    "${self}/profiles/network/networkd.nix"
    "${self}/profiles/network/firewall.nix"
    "${self}/profiles/services/podman.nix"
    "${self}/profiles/programs/fish.nix"
    ./profiles/git-server.nix
  ];

  boot.loader.efi.canTouchEfiVariables = true;
  boot.loader.systemd-boot.enable = true;

  networking.hostName = "synology-vm";
  networking.useDHCP = lib.mkDefault true;
  systemd.network.wait-online.anyInterface = lib.mkDefault config.networking.useDHCP;

  my.modules.nas-client = {
    enable = true;
    volumes = {
      data = {
        server = "192.168.1.68";
        remotePath = "backups";
        mountPoint = "/data/backups";
        uid = adminUser.uid;
      };
    };
  };

  my.modules.backups = {
    enable = true;
    passwordFile = config.age.secrets.restic_password.path;
    remote = {
      googleProjectId = "fcuny-infra";
      googleCredentialsFile = config.age.secrets.restic_gcs_credentials.path;
    };
  };

  users.users.builder = {
    openssh.authorizedKeys.keys = [
      # my personal key
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINBkozy+X96u5ciX766bJ/AyQ3xm1tXZTIr5+4PVFZFi"
      # remote builder ssh key
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGFGxdplt9WwGjdhoYkmPe2opZMJShtpqnGCI+swrgvw"
    ];
    isNormalUser = true;
    group = "nogroup";
  };

  nix.settings.trusted-users = [ "builder" ];

  networking.wireguard = {
    enable = true;
    interfaces.wg0 = {
      ips = [ "10.100.0.40/32" ];
      listenPort = 51871;
      privateKeyFile = config.age.secrets.wireguard.path;
      peers = [
        {
          publicKey = "I+l/sWtfXcdunz2nZ05rlDexGew30ZuDxL0DVTTK318=";
          allowedIPs = [ "10.100.0.0/24" ];
          endpoint = "165.232.158.110:51871";
          persistentKeepalive = 25;
        }
      ];
    };
  };

  networking.firewall.allowedUDPPorts = [ 51871 ];

  system.stateVersion = "23.11"; # Did you read the comment?
}