{pkgs, config, lib, modulesPath, ...} : {

imports = [
  ./admins.nix
  ./nix_keys.nix
  (modulesPath + "/virtualisation/xen-domU.nix")
  ];
nix = {
  extraOptions = ''
    experimental-features = nix-command flakes
    builders-use-substitutes = true
  '';
};

networking = {
  firewall = { # these shoud be default, but better make sure!
    enable = true;
    allowPing = true;
  };
  nftables.enable = true;
  useDHCP = false; # We don't speak DHCP and even if we would, we should enable it per interface
  # hosts = # TODO write something to autogenerate ip adresses!
};

users = {
  mutableUsers = false;
  users.root.hashedPassword = "!";
};

sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];

environment = {
  systemPackages = builtins.attrValues {
    inherit (pkgs)
      htop lsof tmux btop;
  };
};

services = {
  journald.extraConfig = "SystemMaxUse=5G";

  nginx = {
    recommendedOptimisation = true;
    recommendedGzipSettings = true;
    recommendedTlsSettings = true;
  };

  openssh = {
    enable = true;
    settings = {
      PermitRootLogin = "no";
      PasswordAuthentication = false;
    };
  };
};
}