{
  config,
  inputs,
  pkgs,
  ...
}:
{
  imports = [
    inputs.disko.nixosModules.disko

    ../global/sops.nix

    ./hetzner.nix
  ];

  programs.zsh.enable = true;
  environment.pathsToLink = [ "/share/zsh" ];
  environment.shells = [ pkgs.zsh ];

  environment.enableAllTerminfo = true;

  users.users.lander = {
    isNormalUser = true;
    shell = pkgs.zsh;
    extraGroups = [
      "wheel"
    ];
    openssh.authorizedKeys.keys = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPnthKtz0fE4yQ/X10cJgKVCjYCNkRNoqV28xAhD7h2M cardno:22_498_026"
    ];
  };

  sops.secrets.tailscale-authkey = {
    owner = "root";
    group = "root";
    sopsFile = ./secrets.yaml;
  };

  services.tailscale = {
    enable = true;
    openFirewall = true;
    extraUpFlags = [
      "--login-server=https://headscale.escapeangle.com"
    ];
    authKeyFile = config.sops.secrets.tailscale-authkey.path;
  };

  nix = {
    settings = {
      trusted-users = [ "lander" ];

      accept-flake-config = true;
      auto-optimise-store = true;
    };

    registry = {
      nixpks = {
        flake = inputs.nixpkgs;
      };
    };

    nixPath = [
      "nixpkgs=${inputs.nixpkgs.outPath}"
      "nixos-config=/etc/nixos/configuration.nix"
      "/nix/var/nix/profiles/per-user/root/channels"
    ];

    package = pkgs.nixVersions.stable;
    extraOptions = ''experimental-features = nix-command flakes'';

    gc = {
      automatic = true;
      options = "--delete-older-than 7d";
    };
  };
}