{
  flake,
  modulesPath,
  lib,
  config,
  pkgs,
  ...
}:

let
  inherit (flake) inputs;
  inherit (inputs) self;
in
{
  imports = [
    self.nixosModules.default
    "${modulesPath}/virtualisation/lxc-container.nix"
  ];
  nixpkgs.config.allowUnfreePredicate =
    pkg:
    builtins.elem (lib.getName pkg) [
      "graylog_6.0"
      "mongodb-6_0"
      "mongodb-ce"
    ];

  sops.secrets.graylog = {
    mode = "0440";
    owner = "graylog";
    group = "graylog";
  };

  systemd.services.graylog = {
    after = [ "sops-nix.service" ];
    serviceConfig = {
      EnvironmentFile = config.sops.secrets.graylog.path;
    };
  };
  services = {
    graylog = {
      enable = true;
      extraConfig = ''
        http_external_uri = https://graylog.skdevstudios.com/
        http_bind_address = 0.0.0.0:9000
      '';
      elasticsearchHosts = [ "http://127.0.0.1:9200" ];
      package = pkgs.graylog-6_0;
      passwordSecret = "";
      rootPasswordSha2 = "";
    };
    mongodb = {
      enable = true;
      package = pkgs.mongodb-ce;
    };
    opensearch = {
      enable = true;
      settings = {
        "cluster.name" = "default";
      };
    };
  };
  networking = {
    hostName = "graylog-tofu";
  };
  environment.systemPackages = [
  ];
  system.stateVersion = "25.05";
}