{ config, pkgs, lib, options, ... }:

{
  imports = [
    ./modules
  ];

  config = {
    services.haveged.enable = lib.mkDefault true;

    security.rtkit.enable = lib.mkDefault true;

    hardware.enableAllFirmware = lib.mkDefault true;
    hardware.enableRedistributableFirmware = lib.mkDefault true;
    hardware.cpu.amd.updateMicrocode = lib.mkDefault true;
    hardware.cpu.intel.updateMicrocode = lib.mkDefault true;

    services.earlyoom.enable = lib.mkDefault true;

    programs.mosh.enable = lib.mkDefault true;

    systemd.services.nix-gc.serviceConfig.IOSchedulingPriority = lib.mkDefault 7;
    systemd.services.nix-gc.serviceConfig.IOSchedulingClass = lib.mkDefault "idle";
    systemd.services.nix-gc.serviceConfig.CPUSchedulingPolicy = lib.mkDefault "idle";

    nix = {
      package = lib.mkDefault pkgs.nixUnstable;

      gc = {
        automatic = lib.mkDefault true;
        dates = lib.mkDefault "20:00";
        options = lib.mkDefault "--delete-older-than 40d";
      };

      daemonIOSchedPriority = lib.mkDefault 7;
      daemonIOSchedClass = lib.mkDefault "idle";
      daemonCPUSchedPolicy = lib.mkDefault "idle";
      trustedUsers = [ "root" "builder" "@wheel" ];

      extraOptions = ''
        builders-use-substitutes = true
        experimental-features = nix-command flakes
        keep-outputs = true
        keep-derivations = true
      '';
    };

    # make nginx have good logging and defaults
    services.nginx = {
      recommendedGzipSettings = lib.mkDefault true;
      recommendedOptimisation = lib.mkDefault true;
      recommendedProxySettings = lib.mkDefault true;
      appendHttpConfig = ''
        error_log stderr;
        access_log syslog:server=unix:/dev/log combined;
      '';
    };

    # allow reverse ssh port shit to be public sometimes
    services.openssh.gatewayPorts = lib.mkDefault "clientspecified";

    # no homo
    nixpkgs.config.oraclejdk.accept_license = lib.mkDefault true;

    # set some basic system props
    security.sudo.wheelNeedsPassword = lib.mkDefault false;
    networking.networkmanager.enable = lib.mkDefault true;
    networking.nameservers = [ "1.1.1.1" "1.0.0.1" ];
    time.timeZone = lib.mkDefault "America/Phoenix";

    # package list
    environment.systemPackages = with pkgs; [
      psmisc
      usbutils
      pciutils
      cpufrequtils
      intel-gpu-tools
      lshw

      lsof
      bind
      file

      iotop
      htop
      glances
      powertop

      exfat

      # to stop NixOS breaking
      git
    ];

    # Allow ssh
    services.openssh.enable = lib.mkDefault true;
    services.openssh.passwordAuthentication = lib.mkDefault false;

    # Use a firewall
    networking.firewall.enable = lib.mkDefault true;
    networking.firewall.allowedTCPPorts = lib.mkDefault [ 22 ];

    programs.fish.enable = lib.mkDefault true;
    users.defaultUserShell = lib.mkOverride 900 pkgs.fish;
  };
}