{ ... }:
# TODO `fysiweb` should import config
#
# `config/default.nix` should automatically be imported by all systems through
# `fysiweb deploy`, if it exists.
{
  users.users.root.openssh.authorizedKeys.keyFiles = [
    ../public/aforemny.id_rsa.pub
    ../public/kirchner.id_rsa.pub
  ];

  security.acme.acceptTerms = true;
  # TODO why do defaults not suffice here?

  #security.acme.certs.defaults.email = "aforemny@posteo.de";
  #security.acme.certs.defaults.webroot = "/var/lib/acme/acme-challenge";
  security.acme.certs."auth.nomath.org".email = "aforemny@posteo.de";
  security.acme.certs."auth.nomath.org".webroot = "/var/lib/acme/acme-challenge";
  security.acme.certs."code.nomath.org".email = "aforemny@posteo.de";
  security.acme.certs."code.nomath.org".webroot = "/var/lib/acme/acme-challenge";
  security.acme.certs."feed.nomath.org".email = "aforemny@posteo.de";
  security.acme.certs."feed.nomath.org".webroot = "/var/lib/acme/acme-challenge";
  security.acme.certs."grafana.nomath.org".email = "aforemny@posteo.de";
  security.acme.certs."grafana.nomath.org".webroot = "/var/lib/acme/acme-challenge";
  security.acme.certs."nomath.org".email = "aforemny@posteo.de";
  security.acme.certs."nomath.org".webroot = "/var/lib/acme/acme-challenge";
  security.acme.certs."static.nomath.org".email = "aforemny@posteo.de";
  security.acme.certs."static.nomath.org".webroot = "/var/lib/acme/acme-challenge";
  networking.firewall.allowedTCPPorts = [ 80 ];

  # TODO IPv6 configuration should be handled by `fysiweb`

  # TODO this is system1-specific
  networking.nameservers = [
    "2a01:4ff:ff00::add:1"
    "2a01:4ff:ff00::add:2"
  ];
  networking.interfaces.eth0.ipv6.addresses = [
    {
      address = "2a01:4f8:c2c:2203::1";
      prefixLength = 64;
    }
  ];
  networking.defaultGateway6 = {
    address = "fe80::1";
    interface = "eth0";
  };
}