{ config, lib, ... }:
let
  mkDefault = lib.mkDefault;
  inputs = config.dadada.inputs;
in
{
  imports = [
    ./upgrade-pg-cluster.nix
  ];

  i18n.defaultLocale = mkDefault "en_US.UTF-8";
  console = mkDefault {
    font = "Lat2-Terminus16";
    keyMap = "us";
  };

  time.timeZone = mkDefault "Europe/Berlin";

  nix.settings.substituters = [ https://cache.nixos.org/ ];

  nix.settings.trusted-public-keys = [
    "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
    "gorgon:eEE/PToceRh34UnnoFENERhk89dGw5yXOpJ2CUbfL/Q="
  ];

  nix.settings.require-sigs = true;

  nix.settings.auto-optimise-store = true;

  nix.gc = {
    automatic = true;
    dates = "daily";
    options = "--delete-older-than 3d";
  };

  nix.extraOptions = ''
    experimental-features = nix-command flakes
  '';

  networking.networkmanager.dns = mkDefault "systemd-resolved";

  networking.hosts = {
    "fd42:9c3b:f96d:101:4a21:bff:fe3e:9cfe" = [ "backup1.dadada.li" ];
  };

  services.resolved = {
    enable = mkDefault true;
    fallbackDns = [ "9.9.9.9#dns.quad9.net" "2620:fe::fe:11#dns11.quad9.net" ];
  };

  programs.zsh.enable = mkDefault true;

  # Mitigation for CVE-2024-6387
  # Might be vulnerable to DOS, but better than RCE ...
  # https://github.com/NixOS/nixpkgs/pull/323753#issuecomment-2199762128
  services.openssh.settings.LoginGraceTime = 0;
}