{
  self,
  config,
  lib,
  pkgs,
  ...
}:
{
  sops = {
    defaultSopsFile = ./secrets.sops.yml;
    secrets = {
      "wireguard-key".owner = "systemd-network";
    };
  };
  imports = [
    ./hardware-configuration.nix
    ./hetzner-disk.nix
  ];

  networking = {
    hostName = "v6proxy";
    interfaces.eth0 = {
      ipv4.addresses = [
        {
          address = "178.104.18.93";
          prefixLength = 32;
        }
      ];
      ipv6 = {
        addresses = [
          {
            address = "2a01:4f8:1c19:96f8::1";
            prefixLength = 64;
          }
        ];
        routes = [
          { address = "::"; prefixLength = 0; via = "fe80::1";}
        ];
      };
    };
    defaultGateway.address = "172.31.1.1";
    defaultGateway.interface = "eth0";
    nameservers = [
      "9.9.9.9"
      "1.1.1.1"
    ];
    firewall = {
      allowedTCPPorts = [
        22
        80
        443
      ];
    };
    nftables = {
      enable = true;
    };
    wireguard = {
      enable = true;
      interfaces = {
        sturauplink = {
          listenPort = 51820;
          privateKeyFile = config.sops.secrets."wireguard-key".path;
          ips = [
            "10.100.0.1/24"
            "fd28:6691:1921:6299::1/64"
          ];
          peers = [
            # mail.test.htw.stura-dresden.de
            {
              allowedIPs = [
                "10.100.0.20/32"
              ];
              publicKey = "9Ep/YZLbnGEVWHgVmmwq2Sv/8awwGaHdwiSuIUkWtnk=";
            }
            # proxy.htw.stura-dresden.de
            {
              allowedIPs = [
                "10.100.0.2/32"
                "fd28:6691:1921:6299::2/64"
              ];
              endpoint = "141.56.51.1:51820";
              publicKey = "pUHtAHCDHVQBnqtlIgTkEMHbxXpQmVA0HhxiFUrUb0U=";
            }
          ];
        };
      };
    };
  };

  # wenn instanzen in die flake migriert sind könnte man das autogenerierien
  services ={
      haproxy = {
        enable = true;
        config = ''
          global
            # schreibe globalen log ins journal ip -> app 
            log /dev/log format raw local0
            maxconn 50000
            # man könnte metriken über einen socket file statt einen lokalen port machen für user permission control
            # stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
            tune.bufsize 32762

          defaults
            log global
            mode tcp
            option tcplog
            timeout connect 5s
            timeout client  30s
            timeout server  30s

          # stats seite zeigt backend connection status, wenn check gesetzt ist
          frontend stats
            bind 127.0.0.1:8404
            mode http
            stats enable
            stats uri /stats
            stats refresh 10s
            stats show-legends
            stats show-node
            stats show-modules

          frontend http-in
            bind :::80
            use_backend http_80

          frontend sni_router
            bind :::443
            mode tcp
            use_backend http_443

          backend http_80
            mode http
            server proxy 141.56.51.1:80
          backend http_443
            mode tcp
            server proxy 141.56.51.1:443
        '';
      };
    };

  environment.systemPackages = with pkgs; [
    wireguard-tools
  ];

  system.stateVersion = "25.11";

}