{
  inputs',
  inputs,
  lib,
  pkgs,
  self,
  config,
  ...
}:
let
  inherit (lib)
    mkDefault
    mkIf
    ;
in
{
  imports = with inputs; [
    agenix.nixosModules.default
    impermanence.nixosModules.default
    nix-index-database.nixosModules.nix-index

    ./hardware.nix
    ./impermanence.nix
    ./modules
    ./openssh.nix
    ./programs.nix
    ./users.nix
    ./vm.nix
  ];

  nix = {
    package = inputs'.nix-super.packages.default;

    settings = {
      auto-optimise-store = true;
      experimental-features = [
        "ca-derivations"
        "flakes"
        "nix-command"
      ];
      log-lines = 500;
      show-trace = true;
      trusted-users = [
        "@wheel"
      ];

      min-free = 10 * 1024 * 1024 * 1024;
      max-free = 50 * 1024 * 1024 * 1024;
    };

    registry =
      let
        mappedRegistry = lib.mapAttrs' (name: flake: lib.nameValuePair name { inherit flake; }) inputs;
      in
      mappedRegistry // { default = mappedRegistry.nixpkgs; };

    gc = {
      automatic = true;
      dates = "weekly";
      options = "--delete-older-than 90d";
    };

    daemonCPUSchedPolicy = "idle";
    daemonIOSchedClass = "idle";
  };

  boot = {
    loader = {
      grub = {
        enable = mkDefault true;
        efiSupport = true;
        efiInstallAsRemovable = true;
        device = "nodev";
        splashImage = null;
        configurationLimit = 100;
      };
      timeout = 5;
    };

    kernelParams = [
      "boot.shell_on_fail"
      "zswap.enabled=0"
    ];

    binfmt = {
      emulatedSystems = mkIf pkgs.stdenv.hostPlatform.isx86 [ "aarch64-linux" ];
      preferStaticEmulators = true;
    };

    supportedFilesystems = [ "nfs" ];
  };

  networking = {
    networkmanager.enable = true;

    extraHosts =
      let
        subdomains = [ "" ".git" ];
      in
      builtins.foldl' (
        hosts-acc: domain-prefix:
        let
          host = "${domain-prefix}${config.networking.fqdn}";
        in
        hosts-acc
        + ''
          127.0.0.1 ${host}
          ::1 ${host}
        ''
      ) "" subdomains;

    firewall = {
      enable = true;

      allowedTCPPorts = [
        22
        80
        443
      ];
    };
  };

  services = {
    openssh = {
      enable = true;

      settings = {
        ClientAliveInterval = 300;
        PasswordAuthentication = false;
        KbdInteractiveAuthentication = false;
        PermitRootLogin = "no";
      };
    };
  };

  virtualisation.podman.enable = true;

  zramSwap = {
    enable = true;

    algorithm = mkDefault "lzo-rle";
    memoryPercent = 100;
  };

  nixpkgs.config.allowUnfree = true;

  system = {
    configurationRevision = self.rev or self.dirtyRev;
    stateVersion = "25.11";
  };

  environment.etc."nixos/current".source = lib.cleanSource ./..;
}