{ config, pkgs, lib, inputs, ... }:
{
  imports = [
    ./cachix.nix # update with `cachix use --mode nixos -d . FOOBAR`
    ./profiles/locale-no.nix
    # results of 'nixos-generate-config'
    # nice to have if i just dump this flake into /etc/nixos on a clean install
    (if builtins.pathExists ./configuration.nix
      then ./configuration.nix
      else {}
    )
    (if builtins.pathExists ./hardware-configuration.nix
      then ./hardware-configuration.nix
      else {}
    )
  ];

  environment.systemPackages = with pkgs; [
    ddrescue
    gptfdisk
    ms-sys
    nvme-cli
    parted
    pciutils
    smartmontools
    testdisk
    usbutils
  ];

  # TODO: selectively whitelist?
  nixpkgs.config.allowUnfree = true;
  nixpkgs.config.allowUnfreePredicate = (pkg: true);
  nixpkgs.config.nonfreeLicensing = true; # used by ffmpeg

  # TODO: per host?
  hardware.enableRedistributableFirmware = true;

  nix.settings.experimental-features = [
    "nix-command"
    "flakes"
  ];
  nix.settings.allowed-users = [ "*" ]; # default
  #nix.settings.allowed-users = [ "@nixbld" "@builders" ]; # TODO: this
  nix.settings.trusted-users = [ "root" "@wheel" ];
  nix.settings.auto-optimise-store = true; # deduplicate with hardlinks, expensive. Alternative: nix-store --optimise
  #nix.optimize.automatic = true;           # periodic optimization
  nix.gc.automatic = true;
  nix.gc.dates     = "weekly";
  nix.gc.options   = "--delete-older-than 30d";

  services.thermald.enable = lib.mkIf (config.nixpkgs.system == "x86_64-linux") true;

  # firewall
  services.fail2ban.enable = config.services.openssh.enable;
  networking.firewall.enable = true; # default
}