{
  lib,
  modulesPath,
  flake-inputs,
  ...
}:
{
  imports = [
    flake-inputs.disko.nixosModules.disko
    flake-inputs.sops-nix.nixosModules.sops
    flake-inputs.tlaternet-webserver.nixosModules.default
    "${modulesPath}/profiles/minimal.nix"

    ../modules
    ./nginx
    ./services
  ];

  nix = {
    extraOptions = ''
      experimental-features = nix-command flakes
    '';

    # Enable remote builds from tlater
    settings.trusted-users = [ "@wheel" ];
  };

  networking = {
    usePredictableInterfaceNames = false;
    useDHCP = false;
  };

  systemd.network.enable = true;

  time.timeZone = "Europe/London";

  users.users.tlater = {
    isNormalUser = true;
    extraGroups = [ "wheel" ];
    openssh.authorizedKeys.keyFiles = [ ../keys/tlater.pub ];
  };

  services = {
    openssh = {
      enable = true;
      ports = [ 2222 ];
      startWhenNeeded = true;

      settings = {
        GatewayPorts = "yes";
        PermitRootLogin = "no";
        PasswordAuthentication = false;
      };
    };

    logrotate.enable = true;
  };

  security = {
    sudo.execWheelOnly = true;

    pam = {
      rssh = {
        enable = true;
        settings.auth_key_file = "/etc/ssh/authorized_keys.d/$ruser";
      };
      services.sudo.rssh = true;
    };
  };
  sops.defaultSopsFile = ../keys/production.yaml;

  # Remove some unneeded packages
  environment.defaultPackages = lib.mkForce [ ];

  system.stateVersion = "20.09";
}