{
  config,
  pkgs,
  lib,
  options,
  ...
}: {
  imports = [./modules];

  config = {
    services.haveged.enable = lib.mkDefault true;

    security.rtkit.enable = lib.mkDefault true;

    hardware.cpu.amd.updateMicrocode = lib.mkDefault true;
    hardware.cpu.intel.updateMicrocode = lib.mkDefault true;

    services.earlyoom.enable = lib.mkDefault true;

    programs.mosh.enable = lib.mkDefault true;

    systemd.services.nix-gc.serviceConfig.IOSchedulingPriority =
      lib.mkDefault 7;
    systemd.services.nix-gc.serviceConfig.IOSchedulingClass =
      lib.mkDefault "idle";
    systemd.services.nix-gc.serviceConfig.CPUSchedulingPolicy =
      lib.mkDefault "idle";

    nix = {
      gc = {
        automatic = lib.mkDefault true;
        dates = lib.mkDefault "20:00";
        options = lib.mkDefault "--delete-older-than 40d";
      };

      daemonIOSchedPriority = lib.mkDefault 7;
      daemonIOSchedClass = lib.mkDefault "idle";
      daemonCPUSchedPolicy = lib.mkDefault "idle";

      settings = {
        trusted-users = ["root" "builder" "@wheel"];
        builders-use-substitutes = true;
        experimental-features = ["nix-command" "flakes" "repl-flake"];
        keep-outputs = true;
        keep-derivations = true;
      };
    };

    # make nginx have good logging and defaults
    services.nginx = {
      recommendedGzipSettings = lib.mkDefault true;
      recommendedOptimisation = lib.mkDefault true;
      recommendedProxySettings = lib.mkDefault true;
      appendHttpConfig = ''
        error_log stderr;
        access_log syslog:server=unix:/dev/log combined;
      '';
    };

    # set some basic system props
    security.sudo.wheelNeedsPassword = lib.mkDefault false;
    networking.networkmanager.enable = lib.mkDefault true;

    # package list
    environment.systemPackages = with pkgs; [
      exfat

      # to stop NixOS breaking
      git
    ];

    services.openssh = {
      # Allow ssh
      enable = lib.mkDefault true;
      # lol no
      permitRootLogin = lib.mkDefault "no";
      passwordAuthentication = lib.mkDefault false;
      # allow reverse ssh port shit to be public sometimes
      gatewayPorts = lib.mkDefault "clientspecified";
      extraConfig = ''
        StreamLocalBindUnlink yes
      '';
    };

    # Use a firewall
    networking.firewall.enable = lib.mkDefault true;
    networking.firewall.allowPing = true;
    networking.firewall.allowedTCPPorts = lib.mkDefault [22];

    programs.fish.enable = lib.mkDefault true;
    users.defaultUserShell = lib.mkOverride 900 pkgs.fish;
  };
}