{
  imports = [
    ../../modules/hetzner-firewall.nix
    ../../modules/static-ipv6.nix
    ../../modules/monitoring/exporters.nix
    ../../modules/monitoring/server.nix
    ../../modules/docs.nix
  ];

  clan.core.sops.defaultGroups = [ "admins" ];

  # Public IPv6; SLAAC doesn't bring it up here.
  cnx.staticIPv6 = {
    enable = true;
    address = "2a01:4f9:c013:e6d0::1";
  };

  time.timeZone = "Etc/GMT-3"; # UTC+3 (fixed offset, no DST)
  services.timesyncd.enable = true;

  # Public Hetzner Cloud firewalls, synced from this config on every deploy.
  # Rules live in their own data file; see that file for the no-public-SSH note.
  cnx.hetznerFirewall = {
    enable = true;
    firewalls = import ../../modules/hetzner-firewall-rules.nix;
  };
}