{ den, lib, ... }:
{
  den.aspects.orion = {
    includes = [
      (
        { host, ... }:
        {
          # Start all user services on boot not on login (useful for syncthing)
          nixos.users.users = lib.mapAttrs (_: _: { linger = true; }) host.users;
        }
      )
    ];

    nixos =
      { config, pkgs, ... }:
      {
        environment.systemPackages = [
          pkgs.kitty
        ];

        networking = {
          firewall.enable = true;
          firewall.allowPing = false;
          nftables.enable = true;
        };

        # Use ssh authorization for sudo instead of password
        security.pam = {
          sshAgentAuth.enable = true;
          services.sudo.sshAgentAuth = true;
        };

        services = {
          caddy = {
            enable = true;
            email = "mail@jelles.net";
            openFirewall = true;
          };

          openssh = {
            enable = true;
            settings = {
              PermitRootLogin = "no";
              PasswordAuthentication = false;
              # TODO: Retrieve usernames dynamically
              AllowUsers = [
                "kiri"
                "git"
              ];
            };
          };

          vaultwarden = {
            enable = true;
            backupDir = "/var/backup/vaultwarden";
            config = {
              DOMAIN = "https://vault.jelles.net";
              SIGNUPS_ALLOWED = false;
              ROCKET_PORT = 8100;
              ROCKET_LOG = "critical";
            };
          };
          caddy.virtualHosts."vault.jelles.net".extraConfig =
            "reverse_proxy :${toString config.services.vaultwarden.config.ROCKET_PORT}";

          radicale = {
            enable = true;
            settings = {
              server.hosts = [ "127.0.0.1:5232" ];

              auth = {
                type = "htpasswd";
                # TODO: Get password file from SOPS
                htpasswd_filename = "/var/lib/radicale/users";
                htpasswd_encryption = "bcrypt";
              };

              storage.filesystem_folder = "/var/lib/radicale/collections";
            };
          };

          # TODO: Is this extensive config necessary?
          caddy.virtualHosts."radicale.jelles.net".extraConfig = ''
            reverse_proxy :5232 {
               header_up X-Script-Name /
               header_up X-Forwarded-For {remote}
               header_up X-Remote-User {http.auth.user.id}
            }'';

          actual = {
            enable = true;
            openFirewall = false;
            settings = {
              port = 3000;
              hostname = "127.0.0.1";
            };
          };
          caddy.virtualHosts."finance.jelles.net".extraConfig =
            "reverse_proxy :${toString config.services.actual.settings.port}";

          gitea = {
            enable = true;

            settings = {
              server = {
                DOMAIN = "git.jelles.net";
                ROOT_URL = "https://git.jelles.net/";
                HTTP_PORT = 3001;
                HTTP_ADDR = "127.0.0.1";

                START_SSH_SERVER = false;
                SSH_PORT = 22;
              };

              service = {
                DISABLE_REGISTRATION = true;
              };
            };
          };

          caddy.virtualHosts."git.jelles.net".extraConfig =
            "reverse_proxy :${toString config.services.gitea.settings.server.HTTP_PORT}";

        };

        # TODO: Username dynamically
        users.users.kiri = {
          openssh.authorizedKeys.keys = [
            "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAU2LydkXRTtNFY7oyX8JQURwXLVhB71DeK8XzrXeFX1 openpgp:0xA490D93A"
          ];
        };
      };
  };
}