{
  config,
  pkgs,
  lib,
  ...
}:

{
  sops.secrets.nix-access-tokens = { };
  sops.secrets.nix-access-tokens-all.mode = "0440";
  sops.secrets.nix-access-tokens-all.group = config.users.groups."keys".name;
  nix.extraOptions = ''
    !include ${config.sops.secrets.nix-access-tokens.path}
    !include ${config.sops.secrets.nix-access-tokens-all.path}
  '';

  nix.settings = {
    experimental-features = [
      "nix-command"
      "flakes"
      # "pipe-operator" # not supported on lix 2.91
    ];
    #nix.settings.allowed-users = [ "@builders" ]; # TODO: this
    allowed-users = [
      # default is [ "*" ]
      "root"
      "@wheel"
    ];
    trusted-users = [
      "root"
      "@wheel"
    ];
    keep-derivations = true; # keep .drv in store, great with nix-diff
    auto-optimise-store = true; # deduplicate with hardlinks, expensive. Alternative: nix-store --optimise
    max-silent-time = 3600;
    connect-timeout = 5; # seconds timeout for binary caches
    #nix.settings.keep-failed = true; # fills up $TMPDIR
    log-lines = 35;
    min-free = 3 * 1024 * 1024 * 1024; # starts cg
    max-free = 20 * 1024 * 1024 * 1024; # condition to end gc triggered by min-free

    # should not be needed since https://github.com/NixOS/nixpkgs/pull/383052
    system-features =
      lib.mkIf
        (
          pkgs.stdenv.hostPlatform.system == "x86_64-linux"
          && (lib.versionOlder (lib.versions.majorMinor lib.version) "25.05")
        )
        [
          "nixos-test"
          "big-parallel"
          "kvm"
        ];
  };

  nix.gc = {
    #nix.optimize.automatic = true; # periodic optimization
    automatic = true;
    dates = "weekly";
    options = lib.mkIf config.system.autoUpgrade.enable "--delete-older-than 15d";
  };

}