{ config, pkgs, pkgs-unstable, secret, ... }:

{
	imports = [
		./hardware-configuration.nix
		./nginx.nix
	];

	environment.systemPackages = with pkgs; [
		pkgs-unstable.sing-box
	];

	marzban = {
		env = {
			UVICORN_HOST = "mio.project-a.space";
			UVICORN_PORT = secret.marzban.port;
			SUDO_USERNAME = secret.marzban.sudo-username;
			SUDO_PASSWORD = secret.marzban.sudo-password;
			DOCS = true;
		};
		cert = true;
		domain = "mio.project-a.space";
		xray = {
			log.loglevel = "warning";
			dns = {
				servers = [ "1.1.1.1" ];
				queryStrategy = "UseIPv4";
			};
			routing = {
				rules = [
					{
						ip = [ "geoip:private" ];
						outboundTag = "BLOCK";
						type = "field";
					}
				];
			};
			inbounds = [
        {
          port = 8443;
          tag = "Mr Penis Network";
          protocol = "shadowsocks";
          settings = {
            method = "aes-128-gcm";
            password = "sosal?";
            network = "tcp,udp";
          };
        }
			];
			outbounds = [
				{
					protocol = "freedom";
					tag = "DIRECT";
				}
				{
					protocol = "blackhole";
					tag = "BLOCK";
				}
			];
		};
	};

	networking.firewall.allowedTCPPorts = [ secret.marzban.port 8443 ];

	services.yggdrasil.persistentKeys = true;
}