{
  config,
  lib,
  pkgs,
  modulesPath,
  ...
}:
{
  imports = [
    "${modulesPath}/virtualisation/proxmox-lxc.nix"
  ];

  sops = {
    defaultSopsFile = ./secrets.sops.yaml;
    secrets = {
      "gradient-jwt".owner = "gradient";
      "gradient-crypt".owner = "gradient";
      "gradient-worker".owner = "gradient-worker";
    };
  };

  networking = {
    hostName = "gradient";
    fqdn = "gradient.adm.htw.stura-dresden.de";
    interfaces.eth0.ipv4.addresses = [
      {
        address = "141.56.51.127";
        prefixLength = 24;
      }
    ];

    defaultGateway = {
      address = "141.56.51.254";
      interface = "eth0";
    };
    firewall.allowedTCPPorts = [
      80
      443
    ];
  };

  services = {
    openssh.enable = true;

    gradient = {
      enable            = true;
      frontend.enable   = true;
      domain            = "${config.networking.fqdn}";
      jwtSecretFile     = "/run/secrets/gradient-jwt";
      cryptSecretFile   = "/run/secrets/gradient-crypt";
      configurePostgres = true;
      configureNginx    = true;
      # serveCache        = true;
      reportErrors      = true; # optional: will send crash reports to us
    };

    nginx.virtualHosts."${config.networking.fqdn}".listen = [
      {
        port = 80;
        addr = "0.0.0.0";
      }
      {
        port = 443;
        addr = "0.0.0.0";
        ssl = true;
        proxyProtocol = true;
      }
    ];

    gradient.worker = {
      enable    = true;
      serverUrl = "ws://127.0.0.1:3000/proto";
      workerId  = "8f56dd3a-5698-4512-8bf7-ab8dcfaed46c";
      peersFile = "/run/secrets/gradient-worker-peers";
      capabilities = {
        fetch = true;
        eval  = true;
        build = true;
      };
    };
  };


  system.stateVersion = "25.11";

}