os/modules/koon/host/ark/configuration.nix

{ self, ... }: {
  flake.nixosModules.koonArkConfiguration = { config, ... }: {
    imports = [
      ./_hardware-configuration.nix
      self.nixosModules.koonArkUser
      self.nixosModules.koonArkSops

      self.nixosModules.koonArkServiceAudio
      self.nixosModules.koonArkServiceAuth
      self.nixosModules.koonArkServiceGit
      self.nixosModules.koonArkServiceHome
      self.nixosModules.koonArkServicePhotos
      self.nixosModules.koonArkServiceRadicale
      self.nixosModules.koonArkServiceWakapi
    ];

    # Use the systemd-boot EFI boot loader.
    boot.loader.systemd-boot.enable = true;
    boot.loader.efi.canTouchEfiVariables = true;

    networking.hostName = "ark";
    networking.nameservers = [ "8.8.8.8" "1.1.1.1" ];

    services.tailscale = {
      enable = true;
      useRoutingFeatures = "both";
      extraUpFlags = [ "--accept-dns=false" ];
    };

    # oauth.name = "KoonFamily";
    # oauth.secrets = import ./oauth-secrets.nix;

    security.sudo.wheelNeedsPassword = false;

    services.cloudflared = {
      enable = true;
      tunnels = {
        "91d31395-fbc7-45a1-ae13-148957b32ecd" = {
          credentialsFile = config.sops.secrets.tunnel-credentials.path;
          ingress = {
            "auth.koon.us" = "http://localhost:1411";
            "photos.koon.us" = "http://localhost:2283";
            "home.koon.us" = "http://localhost:8123";
            "docs.koon.us" = "http://localhost:3004";
            "git.koon.us" = "http://localhost:3000";
            "ssh.koon.us" = "ssh://localhost:2222";
            "audio.koon.us" = "http://localhost:8021";
            "radicale.koon.us" = "http://localhost:5232";
            "waka.koon.us" = "http://localhost:3006";
            # "ride.koon.us" = "http://localhost:3007";
            # "ride-api.koon.us" = "http://localhost:8080";

            "money.koon.us" = "http://localhost:3160";
            "zero.koon.us" = "http://localhost:4848";
            "money-api.koon.us" = "http://localhost:3161";

          };
          default = "http_status:404";
        };
      };
    };

    fileSystems."/mnt/hdd" = {
      device = "/dev/sdb";
      fsType = "ext4";
    };

    services.openssh.enable = true;

    networking.firewall.allowedTCPPorts = [ 8123 22 ];

    time.timeZone = "America/New_York";
    nix.settings.experimental-features = [ "nix-command" "flakes" ];

    system.stateVersion = "25.05"; # Did you read the comment?
  };
}