{ self, lib, config, ... }:
let
  nixosVars = builtins.fromJSON (builtins.readFile ./nixos-vars.json);
in
{
  imports = [
    self.nixosModules.nixos-wiki
    self.nixosModules.nixos-wiki-backup
    self.nixosModules.hcloud
  ];
  users.users.root.openssh.authorizedKeys.keys = nixosVars.ssh_keys;
  system.stateVersion = "23.11";
  security.acme.defaults.email = "joerg.letsencrypt@thalheim.io";

  sops.secrets.nixos-wiki.owner = config.services.phpfpm.pools.mediawiki.user;
  sops.secrets.nixos-wiki-github-client-secret.owner = config.services.phpfpm.pools.mediawiki.user;

  services.nixos-wiki = {
    hostname = "nixos-wiki2.thalheim.io";
    adminPasswordFile = config.sops.secrets.nixos-wiki.path;
    githubClientId = "Iv1.95ed182c83df1d22";
    githubClientSecretFile = config.sops.secrets.nixos-wiki-github-client-secret.path;
    emergencyContact = "nixos-wiki@thalheim.io";
    passwordSender = "nixos-wiki@thalheim.io";
    noReplyAddress = "nixos-wiki-no-reply@thalheim.io";
  };

  sops.defaultSopsFile = ./secrets.yaml;
  boot.loader.grub.devices = lib.mkForce [ "/dev/sda" ];
}