{
  pkgs,
  lib,
  inputs,
  config,
  ...
}:
let
  inherit (lib) mkDefault;
in
{
  system.stateVersion = "24.05";

  environment.systemPackages = with pkgs; [
    vim
    curl
    dnsutils
    gitMinimal
  ];

  nixpkgs.config.allowUnfree = true;
  nix = {
    nixPath = [ ];

    gc = {
      automatic = true;
      options = "--delete-older-than 7d";
    };

    registry = {
      nixpkgs.to = {
        owner = "nixos";
        repo = "nixpkgs";
        type = "github";
        rev = inputs.nixpkgs.rev;
      };
    };

    settings = {
      # Improve nix store disk usage
      auto-optimise-store = true;

      # Prevents impurities in builds
      sandbox = true;

      experimental-features = [
        "nix-command"
        "flakes"
        "ca-derivations"
      ];
      flake-registry = "";

      connect-timeout = 20;
      log-lines = mkDefault 25;

      max-free = mkDefault (3000 * 1024 * 1024);
      min-free = mkDefault (512 * 1024 * 1024);
    };
  };

  # Quieter logs
  networking.firewall.logRefusedConnections = false;

  # Unnecessary / nonsensical
  systemd.services.NetworkManager-wait-online.enable = false;
  systemd.network.wait-online.enable = false;

  # Hardening
  users = {
    mutableUsers = false;
    users.root.hashedPassword = "$y$j9T$5aHaSd9AkFijcpHRJk07q1$hxRPTrwvo3hZqFcOvNIam.iJ7jDR2ZAeZsTmQYphKpA";
  };
  boot.tmp.cleanOnBoot = true;
  systemd.enableEmergencyMode = false;

  # Perl is a default package
  environment.defaultPackages = [ ];

  # Things that pull in perl
  programs.less.lessopen = mkDefault null;
  boot.enableContainers = mkDefault false;

  # Unnecessary programs/services
  networking.firewall.enable = false;
  system.disableInstallerTools = true;
  documentation = {
    enable = false;
    nixos.enable = false;
    man.enable = false;
  };
  environment.variables.BROWSER = "echo";
  programs.vim.defaultEditor = true;
  programs.command-not-found.enable = mkDefault false;
  environment.stub-ld.enable = mkDefault false;
  services.logrotate.enable = mkDefault false;

  xdg.autostart.enable = mkDefault false;
  xdg.icons.enable = mkDefault false;
  xdg.mime.enable = mkDefault false;
  xdg.sounds.enable = mkDefault false;
  services.udisks2.enable = mkDefault false;

  # use TCP BBR has significantly increased throughput and reduced latency for connections
  boot.kernel.sysctl = {
    "net.core.default_qdisc" = "fq";
    "net.ipv4.tcp_congestion_control" = "bbr";
  };

  # Show package version changes on switch
  system.activationScripts.diff = {
    supportsDryActivation = true;
    text = ''
      if [[ -e /run/current-system ]]; then
        echo "--- diff to current-system"
        ${pkgs.nvd}/bin/nvd --nix-bin-dir=${config.nix.package}/bin diff /run/current-system "$systemConfig"
        echo "---"
      fi
    '';
  };

  # SSH
  services.openssh = {
    enable = true;
    settings = {
      X11Forwarding = false;
      KbdInteractiveAuthentication = false;
      PasswordAuthentication = true;
      UseDns = false;
      PermitRootLogin = "yes";
      KexAlgorithms = [
        "curve25519-sha256"
        "curve25519-sha256@libssh.org"
        "diffie-hellman-group16-sha512"
        "diffie-hellman-group18-sha512"
        "sntrup761x25519-sha512@openssh.com"
      ];
    };
  };
}