{ config, pkgs, lib, inputs, ... }:
{
  imports = [
    ./cachix.nix
    (if builtins.pathExists ./hardware-configuration.nix
      then ./hardware-configuration.nix # results of ‘nixos-generate-config
      else {}
    )
  ];

  nixpkgs.config.allowUnfree = true;
  nixpkgs.config.allowUnfreePredicate = (pkg: true);

  # 'nixos-rebuild switch --upgrade', by default daily with no reboot
  system.autoUpgrade.enable = true;
  #system.autoUpgrade.allowReboot = true; # reboot after a kernel (module) or initrd upgrade, consider also setting `rebootWindow`
  /** /
  # TODO: this doesn't work during 'nix eval' on a non-nixos machine
  system.autoUpgrade.flake = "/etc/nixos";
  system.autoUpgrade.flags = [
    "--recreate-lock-file" # fetch new inputs
    #"--commit-lock-file"   # commit new lock to local git repo
    # TODO: can i somehow first do a git pull --rebase --autostash with proper abort handling ?
    "-L"                   # print build logs
  ];
  #assertions = [
  #  { assertion = builtins.pathExists "/etc/nixos/flake.nix"; message = "You have yet to test systems without a flake in /etc/nixos"; }
  #];
  /**/
  system.autoUpgrade.flake = inputs.self.outPath; # a nix store path
  #system.autoUpgrade.flake = "github:pbsds/nix-config"; # TODO: use this instead?
  system.autoUpgrade.flags = [
    "--recreate-lock-file" # fetch new inputs
    "--no-write-lock-file" # no write new flakelock, as the in-store flake is read-only
    "-L"                   # print build logs
  ];
  /**/

  nix.settings.trusted-users = [ "root" ]; # default, but will stick around after a mergins with ./users
  nix.settings.auto-optimise-store = true; # deduplicate with hardlinks, expensive. Alternative: nix-store --optimise
  #nix.optimize.automatic = true;           # periodic optimization
  nix.gc.automatic = true;
  nix.gc.dates     = "weekly";
  nix.gc.options   = "--delete-older-than 30d";
  # TODO: can i make this non-string?
  nix.extraOptions = ''
    experimental-features = nix-command flakes
  '';

  # TODO: only if x86_64?
  services.thermald.enable = true;

  # Bootloader
  boot.loader.grub.enable      = true;
  boot.loader.grub.device      = "/dev/sda"; # TODO: host-specific
  boot.loader.grub.useOSProber = true;

  # firewall
  services.fail2ban.enable = config.services.openssh.enable;
  networking.firewall.enable = true; # default

  # Time zone and internationalisation properties.
  time.timeZone      = "Europe/Oslo";
  i18n.defaultLocale = "en_US.utf8";
  i18n.extraLocaleSettings.LC_ADDRESS        = "nb_NO.utf8";
  i18n.extraLocaleSettings.LC_IDENTIFICATION = "nb_NO.utf8";
  i18n.extraLocaleSettings.LC_MEASUREMENT    = "nb_NO.utf8";
  i18n.extraLocaleSettings.LC_MONETARY       = "nb_NO.utf8";
  i18n.extraLocaleSettings.LC_NAME           = "nb_NO.utf8";
  i18n.extraLocaleSettings.LC_NUMERIC        = "nb_NO.utf8";
  i18n.extraLocaleSettings.LC_PAPER          = "nb_NO.utf8";
  i18n.extraLocaleSettings.LC_TELEPHONE      = "nb_NO.utf8";
  i18n.extraLocaleSettings.LC_TIME           = "nb_NO.utf8";
  console.keyMap              = "no";
  services.xserver.layout     = "no";
  services.xserver.xkbVariant = "";

}