{
  # keep-sorted start
  hostName,
  userName,
  util,
  # keep-sorted end
  ...
}:
{
  imports = [
    # keep-sorted start
    ../../modules/nixos/default.nix
    ./hardware-configuration.nix
    # keep-sorted end
  ]
  ++ (util.toImports ../../modules/nixos/features [
    # keep-sorted start
    "borgbackup"
    "intel-gpu"
    # keep-sorted end
  ])
  ++ (util.toImports ../../modules/nixos/bundles [
    "server"
  ]);

  # external drive
  services.udisks2.enable = true;
  fileSystems."/mnt/external" = {
    device = "/dev/disk/by-uuid/d3b3d7dc-d634-4327-9ea2-9d8daa4ecf4e";
    fsType = "ext4";
    options = [
      "nofail"
    ];
  };

  networking = {
    hostName = "${hostName}";
    firewall.interfaces."enp2s0".allowedTCPPorts = [
      80
      443
    ];
  };

  # hardened openssh
  services = {
    fail2ban.enable = true;
    endlessh = {
      enable = true;
      port = 22;
      openFirewall = true;
    };
    openssh = {
      enable = true;
      ports = [ 5011 ];
      settings = {
        PasswordAuthentication = false;
        KbdInteractiveAuthentication = false;
        PermitRootLogin = "no";
        AllowUsers = [ "srv" ];
      };
    };
  };

  system.stateVersion = "24.11";

  users = {
    groups.${userName} = { };
    users.${userName} = {
      extraGroups = [
        # keep-sorted start
        "docker"
        "wheel"
        # keep-sorted end
      ];
      home = "/home/srv";
      isNormalUser = true;
    };
  };

  virtualisation.docker.enable = true;
}