({
  config,
  pkgs,
  lib,
  ...
}: {
  nixpkgs.overlays = [nix-bitcoin.overlays.default];

  nix-bitcoin.generateSecrets = true;

  # Enable core services
  services.bitcoind = {
    enable = true;
    dataDir = "/var/lib/bitcoind";
    address = "0.0.0.0";
    port = 23002;
    listen = true;
    listenWhitelisted = true;
    whitelistedPort = 8335;
    rpc = {
      address = "0.0.0.0";
      port = 8332;
      threads = 16;
      allowip = ["10.1.1.0/24"];
    };
    regtest = false;
    dataDirReadableByGroup = false;
    disablewallet = null;
    dbCache = 4000;
    prune = 10000;
    zmqpubrawblock = "tcp://0.0.0.0:28332";
    zmqpubrawtx = "tcp://0.0.0.0:28333";
    user = "bitcoind";
    group = "bitcoind";
  };

  services.nbxplorer = {
    enable = true;
    address = "0.0.0.0";
    port = 24444;
    user = "nbxplorer";
    group = "nbxplorer";
  };

  services.btcpayserver = {
    enable = true;
    address = "0.0.0.0";
    port = 23000;
    lbtc = true;
    user = "btcpayserver";
    group = "btcpayserver";
    lightningBackend = "clightning";
  };

  # Firewall: Open necessary ports
  networking.firewall.allowedTCPPorts = [
    config.services.btcpayserver.port
    config.services.bitcoind.port
    config.services.nbxplorer.port
    22
  ];

  # SSH setup
  services.openssh = {
    enable = true;
    settings = {
      PermitRootLogin = "prohibit-password";
      PasswordAuthentication = false;
    };
  };

  users.users.root.openssh.authorizedKeys.keys = [
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPs/pdZLlCbv0vgtFA4hHGuWz1EeSn2kKhBJthlZ5lww devnix"
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDw6ilma4321EdQvguZKA7ijn9xF9QlfMfkES4bGCLTp jeirmeister@devnix-t470"
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAaV7JtUWkWrjo5FfCcpTCCEY/OJ+T1mJOLbe4avg0XH sysadmin@skrybit.io"
  ];

  system.stateVersion = "25.05";
})