{ pkgs, lib, inputs, ... }:
{
  imports = [
    ../../common/global
    ../../common/minimal-node.nix
    ./hardware.nix
    ./reverse-proxy.nix
  ];

  boot.initrd.kernelModules = [ "virtio_gpu" ];
  boot.kernelParams = [ "console=tty" ];

  networking.hostName = "alo-cloud-1";
  services.tailscaleAutoconnect.authkey = "tskey-auth-kbdARC7CNTRL-pNQddmWV9q5C2sRV3WGep5ehjJ1qvcfD";

  services.tailscale = {
    enable = true;
    useRoutingFeatures = lib.mkForce "server";   # enables IPv4/IPv6 forwarding + loose rp_filter
    extraUpFlags = [ "--advertise-exit-node" ];
  };

  networking.nat = {
    enable = true;
    externalInterface = "enp1s0";
    internalInterfaces = [ "tailscale0" ];
  };

  networking.firewall = {
    enable = lib.mkForce true;
    allowedTCPPorts = [ 80 443 ];  # Public web traffic only
    allowedUDPPorts = [ 41641 ];   # Tailscale
    trustedInterfaces = [ "tailscale0" ];  # Full access via VPN
  };

  services.openssh = {
    settings.PasswordAuthentication = false;  # Keys only
  };
}