{
  flake,
  config,
  pkgs,
  lib,
  ...
}: {
  networking.hostName = "frikandel";
  networking.hostId = "44234773";
  networking.nameservers = [
    "193.110.81.0" #dns0.eu
    "2a0f:fc80::" #dns0.eu
    "185.253.5.0" #dns0.eu
    "2a0f:fc81::" #dns0.eu
  ];

  services.openssh.openFirewall = true;

  # Network configuration (Hetzner uses static IP assignments, and we don't use DHCP here)
  networking.useDHCP = false;
  networking.interfaces.enp1s0 = {
    ipv4.addresses = [{ address = "128.140.109.213"; prefixLength = 32; }];
    ipv6.addresses = [{ address = "2a01:4f8:c2c:b60::"; prefixLength = 64; }];
  };
  networking.defaultGateway = {
    address = "172.31.1.1";
    interface = "enp1s0";
  };
  networking.defaultGateway6 = {
    address = "fe80::1";
    interface = "enp1s0";
  };

  networking.firewall.allowedTCPPorts = [ 80 443 ];

  # Caddy reverse proxy for local services like cups
  services.caddy = {
    enable = true;
    globalConfig = ''
      default_bind 128.140.109.213 2a01:4f8:c2c:b60::
      # auto_https off
      email acme@benjaminbaedorf.eu
      # acme_ca https://acme-staging-v02.api.letsencrypt.org/directory
    '';
  };
}