{
  pkgs,
  lib,
  ...
}: {
  imports = [
    ./admins.nix
    ./nix.nix
    ./prometheusNodeExporter.nix
    ../modules/impermanence.nix
  ];

  networking = {
    firewall = {
      # these shoud be default, but better make sure!
      enable = true;
      allowPing = true;
    };
    nftables.enable = true;
    useDHCP = false; # We don't speak DHCP and even if we would, we should enable it per interface
    # hosts = # TODO write something to autogenerate ip adresses!
  };

  users = {
    mutableUsers = false;
    users.root.hashedPassword = "!";
  };

  impermanence.enable = true;

  sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];

  # additional trusted keys for substituters for every machine
  # right now it is only nodens so nodens can build system configs
  # and we can deploy them from nodens.
  # For security reasons we might want to move this to the vm part, as
  # someone who can get control of nodens and get hold of the build process
  # can gain control of the other machines. While this is very handy
  # and a step towards CI, we might not want this for backups.
  # (This is a tradeof between security and convenience)
  nix.settings.trusted-public-keys = ["nodens-deploy.key:VHJmEr17pdoEEnWlSfC03TIf4GBbClxGRiInHuWaUvU="];

  environment = {
    systemPackages = builtins.attrValues {
      inherit
        (pkgs)
        htop
        lsof
        tmux
        btop
        ;
    };
  };

  services = {
    journald.extraConfig = "SystemMaxUse=5G";

    nginx = {
      recommendedOptimisation = true;
      recommendedGzipSettings = true;
      recommendedTlsSettings = true;
    };

    openssh = {
      enable = true;
      settings = {
        PermitRootLogin = "no";
        PasswordAuthentication = false;
      };
    };
    #Prevent clock drift due to interaction problem with xen hardware clock
    timesyncd.enable = lib.mkForce true;
  };
}