{ config, lib, pkgs, ... }:
{
    services.burp.server = {
        enable = true;
        dataDirectory = "/data/burp";
        sslKeyPasswordFile = "/secrets/burp_server_ssl_key_password";
        workingDirRecoveryMethod = "resume";
        maxResumeAttempts = 3;
        keep = [ 14 4 6 2 ];
        clients = lib.listToAttrs (map (client: {
            name = client;
            value = {
                passwordFile = "/secrets/burp_client_passwords/${client}";
            };
        }) [
            config.networking.hostName
            "Pullach"
            "Disco"
            "Berthold"
            "Ernesto"
            "Emitter"
        ]);
        superClients = [
            config.networking.hostName
        ];
        timerArgs = [
            "20h"
            "Mon,Tue,Wed,Thu,Fri,Sat,Sun,00,01,02,03,04,05,06,07,08,17,18,19,20,21,22,23"
        ];
    };

    # Used for other clients to open an SSH tunnel to the burp server
    users.users.burp-remote = {
        isNormalUser = false;
        isSystemUser = true;
        createHome = false;
        group = "nogroup";
        # A shell is necessary for the user to run `sleep`
        shell = pkgs.bash;
        openssh.authorizedKeys.keys = [
            "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIItwImll4vcrfRQZjf6zkEGJswpL9EdWRiibXtjis99J root@Emitter"
        ];
    };
    services.openssh.extraConfig = ''
        Match User burp-remote
            ForceCommand ${pkgs.coreutils}/bin/sleep 10
    '';
}