{
  config,
  pkgs,
  lib,
  ...
}:

{
  sops.secrets.nix-access-tokens = { };
  sops.secrets.nix-access-tokens-all.mode = "0440";
  sops.secrets.nix-access-tokens-all.group = config.users.groups."keys".name;
  nix.extraOptions = ''
    !include ${config.sops.secrets.nix-access-tokens.path}
    !include ${config.sops.secrets.nix-access-tokens-all.path}
  '';

  # https://nix.dev/manual/nix/stable/command-ref/conf-file.html
  # https://nix.dev/manual/nix/latest/command-ref/conf-file.html
  # https://docs.lix.systems/manual/lix/stable/command-ref/conf-file.html
  nix.settings = {

    # === behaviour
    experimental-features = [
      "nix-command"
      "flakes"
      # "pipe-operator" # not supported on lix 2.91
    ];
    log-lines = 35;
    # keep-going = true;

    # === access
    #nix.settings.allowed-users = [ "@builders" ]; # TODO: this
    allowed-users = [
      # default is [ "*" ]
      "root"
      "@wheel"
    ];
    trusted-users = [
      "root"
      "@wheel"
    ];

    # === eval and realization
    keep-derivations = true; # keep .drv in store, great with nix-diff
    max-silent-time = 3600; # kill long-running silent builds

    # === substitution
    http-connections = 128; # default is 25
    max-substitution-jobs = 128; # default is 16
    connect-timeout = 5; # timeout in seconds for binary caches
    download-attempts = 2; # download attempts, in case a binary cache fails
    # fallback = lib.mkDefault true; # fallback to building if a binary cache fails

    # === store
    #settings.keep-failed = true; # fills up $TMPDIR
    auto-optimise-store = true; # deduplicate with hardlinks, expensive. Alternative: nix-store --optimise
    min-free = 5 * 1024 * 1024 * 1024; # starts cg
    max-free = 20 * 1024 * 1024 * 1024; # condition to end gc triggered by min-free

    # should not be needed since https://github.com/NixOS/nixpkgs/pull/383052
    system-features =
      lib.mkIf
        (
          pkgs.stdenv.hostPlatform.system == "x86_64-linux"
          && (lib.versionOlder lib.version "25.05")
        )
        [
          "nixos-test"
          "big-parallel"
          "kvm"
        ];
  };

  #nix.optimize.automatic = true; # periodic store optimization, alternative nix.settings.auto-optimise-store

  nix.gc = {
    automatic = true;
    dates = "weekly";
    options = lib.mkIf config.system.autoUpgrade.enable "--delete-older-than 15d";
  };

}