{ config, ... }:
let
  hosts = import ../../modules/hosts.nix;
in
{
  imports = [
    ../../modules/hetzner-firewall.nix
    ../../modules/static-ipv6.nix
    ../../modules/monitoring/exporters.nix
    ../../modules/monitoring/server.nix
    ../../modules/monitoring/blackbox.nix
    ../../modules/monitoring/alerts.nix
    ../../modules/monitoring/parsedmarc.nix
    ../../modules/docs.nix
  ];

  clan.core.sops.defaultGroups = [ "admins" ];

  # Public IPv6 (from modules/hosts.nix); SLAAC doesn't bring it up here.
  cnx.staticIPv6 = {
    enable = true;
    address = hosts.${config.networking.hostName}.ipv6;
  };

  time.timeZone = "Etc/GMT-3"; # UTC+3 (fixed offset, no DST)
  services.timesyncd.enable = true;

  # Public Hetzner Cloud firewalls, synced from this config on every deploy.
  # Rules live in their own data file; see that file for the no-public-SSH note.
  cnx.hetznerFirewall = {
    enable = true;
    firewalls = import ../../modules/hetzner-firewall-rules.nix;
  };
}