{ pkgs, ... }: {
  networking.hostName = "bastion";
  networking.hostId = "0d13f99b";

  # WARNING: BUILT-IN ETHERNET HARDWARE IS BORKED!!!
  # https://xcp-ng.org/docs/networking.html#intel-i218-i219-slow-speed
  # https://serverfault.com/questions/581265/disable-tcp-checksum-offloading-on-kvm-virtual-network

  imports = [
    ./bastion_base.nix

    ../../features/intelgpu.nix
    ../../tweaks/powersave.nix

    ../../features/frigate-mpv-cage.nix
  ];

  boot.loader.grub.mirroredBoots = [
    {
      devices = [ "nodev" ];
      path = "/boot0";
    }
    {
      devices = [ "nodev" ];
      path = "/boot1";
    }
  ];

  fileSystems = {
    "/boot0" = {
      device = "/dev/disk/by-id/nvme-Samsung_SSD_970_EVO_Plus_500GB_S58SNG0MA07159M-part1";
      fsType = "vfat";
      options = [ "nofail" ];
    };
    "/boot1" = {
      device = "/dev/disk/by-id/ata-PNY_CS900_1TB_SSD_PNY244624111201023FB-part1";
      fsType = "vfat";
      options = [ "nofail" ];
    };

    "/exports/Frigate" = {
      device = "bastion-frigate";
      fsType = "zfs";
    };
    "/exports/MyBook" = {
      device = "MyBook/root";
      fsType = "zfs";
      options = [ "nofail" ];
    };
  };

  ##############################################################################
  ##############################################################################
  ##############################################################################
  # Networking

  systemd.network.networks = {
    "30-eno1" = {
      matchConfig.Name = "eno1";
      networkConfig.Bridge = "br0";
      linkConfig.RequiredForOnline = "enslaved";
    };
    "30-enp0s20f0u8" = {
      matchConfig.Name = "enp0s20f0u8";
      networkConfig.Bridge = "br0";
      linkConfig.RequiredForOnline = "enslaved";
    };

    "90-tinc" = {
      matchConfig.Name = "tinc.mlaga97spa";
      address = [ "10.86.84.105/32" ];
      routes = [ { Destination = "10.86.84.0/24"; } ];
    };
  };

  services.tinc.networks.mlaga97space = {
    name = "bastion";
    ed25519PrivateKeyFile = "/root/tinc/mlaga97space_ed25519_key.priv";

    chroot = false;
    settings.ConnectTo = [ "fortress" "citadel" ];
  };

  ##############################################################################
  ##############################################################################
  ##############################################################################
  # Services

  hardware.coral.pcie.enable = true;

  services.apcupsd = {
    enable = true;
    configText = ''
      UPSTYPE usb
      NISIP 0.0.0.0
      BATTERYLEVEL 5
      MINUTES 3
    '';
  };

  # TODO: Put scripts into version control
  services.cron = {
    enable = true;
    mailto = "";
    systemCronJobs = [

      # Sync Restic from Archive to MyBook daily at 0600
      "0 6 * * *  root  /home/lauren_lagarde/bin/SyncRestic > /dev/null"

      # Copy footage from Frigate to MyBook and clear up space on both every 10 minutes
      "*/10 * * * *  root  /home/lauren_lagarde/bin/MaintainFrigate > /dev/null"

      # Grab a still photo from all cameras once per minute
      "* * * * *  root  /home/lauren_lagarde/bin/GetAllCameraImages > /dev/null"

      # TODO: Automatically Collate Camera Images Monthly
    ];
  };
}