{
  tree,
  lib,
  ...
}: let
  inherit (lib.lists) forEach;
in {
  imports = with tree;
    [
      presets.nixos.serverBase
      presets.nixos.serverHetzner
      presets.nixos.serverEncryptedDrive

      profiles.nginx
      profiles.firewallAllow.httpCommon

      # profiles.chaosInternalWireGuard

      ./hardware.nix
      ./secrets.nix
    ]
    ++ (forEach [
      "social"
      "storage"
      "postgresql"
      "mail"
      "forgejo"
      "caldav"
      "jellyfin"
      "grocy"
      "vault-ca"
      "music"
      # "owncast"
      # TODO: "rss"
    ] (name: ./containers + "/${name}"))
    ++ (with hosts.hetzner-arm.profiles; [
      staticSites
    ]);

  # TODO: environment.noXlibs = true;

  nixpkgs.overlays = [
    (_final: prev: {
      # So we don't need to build all Vault
      # when we already are using vault-bin on this server
      vault = prev.vault-bin;

      # Have no need for HW Accel, hoping it works with this
      jellyfin-ffmpeg = prev.ffmpeg_6-headless;

      ffmpeg = prev.ffmpeg-headless;
      ffmpeg_4 = prev.ffmpeg_4-headless;
      ffmpeg_5 = prev.ffmpeg_5-headless;
      ffmpeg_6 = prev.ffmpeg_6-headless;
      ffmpeg_7 = prev.ffmpeg_7-headless;

      mpd = prev.mpd-headless;
    })
  ];

  # TODO: system.forbiddenDependenciesRegexes = ["libX11*"];

  # For Containers
  networking.nat = {
    enable = true;
    internalInterfaces = ["ve-+"];
    externalInterface = "enp1s0";
  };

  networking.hostName = "hetzner-arm";

  home-manager.users.root.home.stateVersion = "24.05";
  system.stateVersion = "24.05";
}