{config, ...}: {
  networking = {
    firewall.allowedTCPPorts = with config.constants.port; [http https];
    hostId = "2cadb253";
  };

  services = {
    cloudflare-dyndns = {
      enable = true;
      apiTokenFile = config.sops.secrets.cloudflare.path;
      domains = builtins.attrNames config.services.caddy.virtualHosts;
    };
    openssh.enable = true;
    tailscale.useRoutingFeatures = "both";
  };

  sops.secrets.cloudflare = {};
}