{
  imports = [
    ../../modules/hetzner-firewall.nix
  ];

  time.timeZone = "Etc/GMT-3"; # UTC+3 (fixed offset, no DST)
  services.timesyncd.enable = true;

  # Public Hetzner Cloud firewalls, synced from this config on every deploy.
  # Rules live in their own data file; see that file for the no-public-SSH note.
  cnx.hetznerFirewall = {
    enable = true;
    firewalls = import ../../modules/hetzner-firewall-rules.nix;
  };
}