{
  flake,
  config,
  pkgs,
  lib,
  ...
}: {
  # disable NetworkManager and systemd-networkd -wait-online by default
  systemd.services.NetworkManager-wait-online.enable = lib.mkDefault false;
  systemd.services.systemd-networkd-wait-online.enable = lib.mkDefault false;

  networking.networkmanager = {
    # Enable networkmanager. REMEMBER to add yourself to group in order to use nm related stuff.
    enable = true;
    wifi.backend = lib.mkDefault "iwd";
  };

  networking.firewall.enable = true;

  networking.hosts = flake.self.lib.addLocalHostname ["caddy.local"];

  # Caddy reverse proxy for local services like cups
  services.caddy = {
    enable = true;
    globalConfig = ''
      default_bind 127.0.0.1
      auto_https off
    '';
  };

  # For rage encryption, all hosts need a ssh key pair
  services.openssh = {
    enable = true;
    allowSFTP = false;

    # If you don't want the host to have SSH actually opened up to the net,
    # set `services.openssh.openFirewall` to false in your config.
    openFirewall = true;

    settings.PasswordAuthentication = lib.mkDefault false;
    settings.KbdInteractiveAuthentication = false;

    extraConfig = ''
      AllowTcpForwarding yes
      X11Forwarding no
      AllowAgentForwarding no
      AllowStreamLocalForwarding no
      AuthenticationMethods publickey
    '';
  };
}