{ pkgs, config, machine, ... }: {
  imports = [ ./hardware-configuration.nix ./disk-config.nix ./agenix.nix ];

  boot.loader = {
    systemd-boot.enable = true;
    efi.canTouchEfiVariables = true;
  };

  time.timeZone = "Europe/Amsterdam";

  i18n = {
    defaultLocale = "en_US.UTF-8";

    extraLocaleSettings = {
      LC_ADDRESS = "nl_NL.UTF-8";
      LC_IDENTIFICATION = "nl_NL.UTF-8";
      LC_MEASUREMENT = "nl_NL.UTF-8";
      LC_MONETARY = "nl_NL.UTF-8";
      LC_NAME = "nl_NL.UTF-8";
      LC_NUMERIC = "nl_NL.UTF-8";
      LC_PAPER = "nl_NL.UTF-8";
      LC_TELEPHONE = "nl_NL.UTF-8";
      LC_TIME = "nl_NL.UTF-8";
    };
  };

  services = {
    openssh = {
      enable = true;
      settings = {
        PasswordAuthentication = false;
        KbdInteractiveAuthentication = false;
      };
      extraConfig = ''
        HostCertificate ${
          builtins.toFile "host_ed25519-cert.pub" machine.host-cert
        }
        HostKey ${config.age.secrets.host_ed25519.path}
      '';
    };

    xserver = {
      layout = "us";
      xkbVariant = "";
    };
  };

  users.users.root.openssh.authorizedKeys.keys = [
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOodpLr+FDRyKyHjucHizNLVFHZ5AQmE9GmxMnOsSoaw pimkunis@thinkpadpim"
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINUZp4BCxf7uLa1QWonx/Crf8tYZ5MKIZ+EuaBa82LrV user@user-laptop"
  ];

  programs.ssh = {
    knownHosts = {
      dmz = {
        hostNames = [ "*.dmz" ];
        publicKey =
          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAX2IhgHNxC6JTvLu9cej+iWuG+uJFMXn4AiRro9533x";
        certAuthority = true;
      };

      hypervisors = {
        hostNames = [ "*.hyp" ];
        publicKey =
          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFzRkH3d/KVJQouswY/DMpenWbDFVOnI3Vut0xR0e1tb";
        certAuthority = true;
      };
    };

    extraConfig = ''
      CertificateFile ${
        builtins.toFile "user_ed25519-cert.pub" machine.user-cert
      }
      HostKey ${config.age.secrets.user_ed25519.path}
    '';
  };

  nixpkgs.config.allowUnfree = true;

  environment.systemPackages = with pkgs; [ vim neofetch python3 ];

  networking.firewall.enable = false;

  networking.nftables = {
    enable = true;
    checkRuleset = true;
    ruleset = builtins.readFile ./nftables.conf;
  };

  system.stateVersion = "23.05";

  systemd.network = {
    enable = true;

    netdevs = {
      "20-vlandmz" = {
        netdevConfig = {
          Kind = "vlan";
          Name = "vlandmz";
        };
        vlanConfig.Id = 30;
      };
      "20-bridgedmz" = {
        netdevConfig = {
          Kind = "bridge";
          Name = "bridgedmz";
        };
      };
    };

    networks = {
      "30-main-nic" = {
        matchConfig.Name = "en*";
        networkConfig = { DHCP = "yes"; };
        vlan = [ "vlandmz" ];
      };
      "40-vlandmz" = {
        matchConfig.Name = "vlandmz";
        networkConfig = {
          IPv6AcceptRA = false;
          LinkLocalAddressing = "no";
          Bridge = "bridgedmz";
        };
        linkConfig.RequiredForOnline = "enslaved";
      };
      "40-bridgedmz" = {
        matchConfig.Name = "bridgedmz";
        networkConfig = {
          IPv6AcceptRA = false;
          LinkLocalAddressing = "no";
        };
        linkConfig.RequiredForOnline = "carrier";
      };
    };
  };

  virtualisation.libvirtd.enable = true;
}