{ lib, ... }: let
  ts-flags = [
    "--advertise-exit-node"
    "--advertise-routes=10.3.14.0/24,192.168.1.0/24"
    "--ssh" "--webclient"
  ];
in {
  imports = [
    ./homelab/containers.nix
    ./homelab/gallery.nix
    ./homelab/tunnels.nix
    ./homelab/remote.nix
    # ./homelab/media.nix # wip
    ./homelab/share.nix
    ./homelab/proxy.nix
    ./homelab/auth.nix
    ./homelab/pass.nix
    ./homelab/dash.nix
    ./homelab/dns.nix
    ./homelab/git.nix
    ./homelab/ai.nix
    ./core/swapfile.nix
    ./misc/theme.nix
    ./base.nix
  ];

  services.tailscale = {
    enable = true;
    authKeyFile = "/mnt/data/tailscale/authkey";
    useRoutingFeatures = "server";
    extraUpFlags = ts-flags;
    extraSetFlags = ts-flags;
  };
  
  virtualisation = {
    oci-containers.backend = "docker";
    docker = {
      enable = true;
      autoPrune.enable = true;
      enableOnBoot = true;
    };
  };

  networking = {
    networkmanager.dns = "none";
    nameservers = lib.mkForce [ "127.0.0.1" ];
  };
}