{ pkgs, outputs, config, ... }: {
  imports =
    [
      ./hardware-configuration.nix
    ];

  boot = {
    loader.systemd-boot.enable = true;
    kernelParams = [ "i915.enable_psr=0" ];
  };

  networking.hostName = "x260";
  time.timeZone = "Europe/Amsterdam";
  i18n.defaultLocale = "en_US.UTF-8";

  services.xserver = {
    enable = true;
    displayManager.gdm = {
      enable = true;
    };
    desktopManager.gnome.enable = true;
    excludePackages = with pkgs; [ xterm ];
  };

  users = {
    users.pim = {
      isNormalUser = true;
      extraGroups = [ "wheel" "docker" ];
    };
  };

  environment = {
    systemPackages = with pkgs; [
      wget
      curl
      git
      btop
      ripgrep
      vim
      dogdns
      tree
      bat
    ];
    gnome.excludePackages = with pkgs; [
      gnome.totem
      gnome-tour
      gnome.epiphany
      gnome.geary
      gnome-console
      gnome.gnome-music
    ];
  };

  system.stateVersion = "23.05";

  programs.ssh.knownHosts = {
    dmz = {
      hostNames = ["*.dmz"];
      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAX2IhgHNxC6JTvLu9cej+iWuG+uJFMXn4AiRro9533x";
      certAuthority = true;
    };

    hypervisors = {
      hostNames = ["*.hyp"];
      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFzRkH3d/KVJQouswY/DMpenWbDFVOnI3Vut0xR0e1tb";
      certAuthority = true;
    };
  };

  security.sudo.extraConfig = ''
    Defaults        timestamp_timeout=30
  '';

  nix = {
    package = pkgs.nixFlakes;
    extraOptions = ''
      experimental-features = nix-command flakes
    '';

    gc = {
      automatic = true;
      persistent = true;
      dates = "weekly";
      options = "--delete-older-than 30d";
    };
  };

  age.secrets.wg-quick-home-privkey.file = ./secrets/wg-quick-home-privkey.age;
  age.secrets.wg-quick-home-preshared-key.file = ./secrets/wg-quick-home-preshared-key.age;
  age.identityPaths = [ "/home/pim/.ssh/age_ed25519" ];

  networking.wg-quick = {
    interfaces.home = {
      privateKeyFile = config.age.secrets.wg-quick-home-privkey.path;
      address = [
        "10.225.191.4/24"
        "fd11:5ee:bad:c0de::4/64"
      ];
      dns = [ "192.168.30.8" ];
      peers = [{
        presharedKeyFile = config.age.secrets.wg-quick-home-preshared-key.path;
        endpoint = "84.245.14.149:51820";
        publicKey = "fa3mQ7ximJbH7cu2ZbWidto5xBGxEEfWvCCiUDk00Hg=";
        allowedIPs = [
          "0.0.0.0/0"
          "::0/0"
        ];
      }];
    };
  };

  virtualisation.docker = {
    enable = true;
    rootless = {
      enable = true;
      setSocketVariable = true;
    };
  };

  nixpkgs = {
    # You can add overlays here
    overlays = [
      # Add overlays your own flake exports (from overlays and pkgs dir):
      outputs.overlays.nurPackages

      # You can also add overlays exported from other flakes:
      # neovim-nightly-overlay.overlays.default

      # Or define it inline, for example:
      # (final: prev: {
      #   hi = final.hello.overrideAttrs (oldAttrs: {
      #     patches = [ ./change-hello-to-hi.patch ];
      #   });
      # })
    ];
    # Configure your nixpkgs instance
    config = {
      # Disable if you don't want unfree packages
      allowUnfree = true;
    };
  };
}