{
  inputs,
  config,
  ...
}:
let
  nixosModules = config.flake.modules.nixos;
in
{
  flake.modules.nixos.orion =
    { pkgs, ... }:
    let
      host = {
        isServer = true;
      };
    in
    {
      _module.args.host = host;

      imports = [
        inputs.home-manager.nixosModules.home-manager
        nixosModules.sopsHost
        nixosModules.caddy
        nixosModules.openssh
        nixosModules.vaultwarden
        nixosModules.radicale
        nixosModules.actual
        nixosModules.gitea
        nixosModules.kiri
        ./_hardware.nix
        ./_disk.nix
      ];

      system.stateVersion = "24.05";

      home-manager = {
        useGlobalPkgs = true;
        backupFileExtension = "bak";
        extraSpecialArgs = { inherit inputs; };
      };

      networking.hostName = "orion";

      security.sudo.extraConfig = ''
        Defaults env_keep+=SSH_AUTH_SOCK
      '';

      users.users.kiri = {
        linger = true;
        openssh.authorizedKeys.keys = [
          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAU2LydkXRTtNFY7oyX8JQURwXLVhB71DeK8XzrXeFX1 openpgp:0xA490D93A"
        ];
      };

      environment.systemPackages = [
        pkgs.kitty
      ];

      networking = {
        firewall.enable = true;
        firewall.allowPing = false;
        nftables.enable = true;
      };

      security.pam = {
        sshAgentAuth.enable = true;
        services.sudo.sshAgentAuth = true;
      };
    };
}