{ config, lib, pkgs, ... }:

{
  config = {

    boot = {
      initrd = {
        luks.devices.socrates-unlocked = {
          device = "/dev/socrates/socrates-locked";
          preLVM = false;
          allowDiscards = true;
        };
        availableKernelModules = [
          "xhci_pci"
          "ehci_pci"
          "ahci"
          "usb_storage"
          "usbhid"
          "sd_mod"
          "r8169"
        ];
        kernelModules = [ "dm-snapshot" ];
        network = {
          enable = true;
          ssh = {
            enable = true;
            port = 22;
            authorizedKeys = [
              "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDPwh522lvafTJYA0X2uFdP7Ws+Um1f8gZsARK1Y5nMzf6ZcWBF1jplTOKUVSOl4isMWni0Tu0TnX4zqCcgocWUVbwIwXSIRYqdiCPvVOH+/Ibc97n1/dYxk5JPMtbrsEw6/gWZxVg0qwe0J3dQWldEMiDY7iWhlrmIr7YL+Y3PUd7DOwp3PbfWfNyzTfE1kXcz5YvTeN+txFhbbXT0oS2R2wtc1vYXFZ/KbNstjqd+i8jszAq3ZkbbwL3aNR0RO4n8+GoIILGw8Ya4eP7D6+mYk608IhAoxpGyMrUch2TC2uvOK3rd/rw1hsTxf4AKjAZbrfd/FJaYru9ZeoLjD4bRGMdVp56F1m7pLvRiWRK62pV2Q/fjx+4KjHUrgyPd601eUIP0ayS/Rfuq8ijLpBJgO5/Y/6mFus/kjZIfRR9dXfLM67IMpyEzEITYrc/R2sedWf+YHxSh6eguAZ/kLzioar1nHLR7Wzgeu0tgWkD78WQGjpXGoefAz3xHeBg3Et0="
              "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDGVez4of30f+j0cWKj5kYCKeFjyNsYvG9UbOMxF5hImD2lP5MSbFBv31gFgHjx3yCG4zQRZlpuyU5uWo0qIwe9N84/LcZcB9WrWKZXDmuof7zPFy0J+Hj+LVLDQI/mVXHNwkMhBMHpPrdwA05EYDAYCYklWT4cSByu10pHtST+olF8i+A+UQgUzgNZzdJVeiYZv6MBDTYsJWptGeDUkl2B0Es3gtbGYcCCfnyS3RC7DIXlDo3NBbAr7WaHY2MBbT+R/+jicn9E3IY3NCM5jENxqmvHy9MDsxEEYgFNm7IDwq4V1VRUWy277YsvRbmEaHb+osOA5u1VNN4z3UftOZcSZgR5C/vR71cENXoPt1YQpCzu7i38ojtvL+tDVEKT7sIovrQw8q1sszNlW2nXh8RSPiIq5TMnrV73MP0egKcr9n3tfxwi1BIkLjvfom/02BkTK9R9v+VMNhYU1YwROhORCiMIgoxUGiUvtH8u38JGr7E0hhMoAjCE5k80WPUivl0="
            ];
            hostKeys = [
              "/state/ssh/ssh_host_ed25519_key"
              "/state/ssh/ssh_host_rsa_key"
            ];
          };
        };
      };

      loader = {
        grub = {
          enable = true;
          version = 2;
          device = "/dev/sda";
        };
      };

      kernelModules = [ ];
      extraModulePackages = [ ];
    };

    fileSystems = {
      "/" = {
        device = "socrates-root";
        fsType = "tmpfs";
        options = [ "mode=755" "noexec" ];
      };

      "/boot" = {
        device = "/dev/disk/by-label/socrates-boot";
        fsType = "ext4";
        options = [ "noatime" "nodiratime" "noexec" ];
      };

      "/nix" = {
        device = "/dev/disk/by-label/socrates-data";
        fsType = "btrfs";
        options = [ "subvol=@nix" "compress=zstd" "noatime" "nodiratime" ];
      };

      "/var/log" = {
        device = "/dev/disk/by-label/socrates-data";
        fsType = "btrfs";
        options = [ "subvol=@log" "compress=zstd" "noatime" "nodiratime" "noexec" ];
      };

      "/state" = {
        device = "/dev/disk/by-label/socrates-data";
        fsType = "btrfs";
        options = [ "subvol=@state" "compress=zstd" "noatime" "nodiratime" "noexec" ];
      };

      "/home" = {
        device = "/dev/disk/by-label/socrates-data";
        fsType = "btrfs";
        options = [ "subvol=@home" "compress=zstd" "noatime" "nodiratime" "noexec" ];
      };
    };

    swapDevices = [{
      device = "/dev/socrates/socrates-swap";
      randomEncryption.enable = true;
    }];

    networking = {
      macvlans = {
        intif0 = {
          interface = "enp1s0";
          mode = "bridge";
        };
      };

      interfaces = {
        enp1s0.useDHCP = false;
        intif0 = {
          macAddress = "02:f2:30:b8:71:42";
        };
      };
    };
  };
}