{ config, pkgs, lib, inputs, ... }:
{
  imports = [
    ./cachix.nix # update with `cachix use --mode nixos -d . FOOBAR`
    ./profiles/locale-no.nix
    # results of 'nixos-generate-config'
    # nice to have if i just dump this flake into /etc/nixos on a clean install
    (if builtins.pathExists ./configuration.nix
      then ./configuration.nix
      else {}
    )
    (if builtins.pathExists ./hardware-configuration.nix
      then ./hardware-configuration.nix
      else {}
    )
  ];

  # TODO: how can i do this in home-manager?
  nixpkgs.config.permittedInsecurePackages = [
    "pulsar-1.106.0"
    "pulsar-1.109.0"
    "zotero-6.0.26"
    "gitea-1.19.4"
  ];

  environment.systemPackages = with pkgs; [
    ddrescue
    gptfdisk
    ms-sys
    nvme-cli
    parted
    pciutils
    smartmontools
    testdisk
    usbutils
  ];

  # TODO: selectively whitelist?
  nixpkgs.config.allowUnfree = true;
  nixpkgs.config.allowUnfreePredicate = (pkg: true);
  nixpkgs.config.nonfreeLicensing = true; # used by ffmpeg

  # TODO: per host?
  hardware.enableRedistributableFirmware = true;

  nix.settings.experimental-features = [
    "nix-command"
    "flakes"
  ];
  nix.settings.allowed-users = [ "*" ]; # default
  #nix.settings.allowed-users = [ "@nixbld" "@builders" ]; # TODO: this
  nix.settings.trusted-users = [ "root" "@wheel" ];
  nix.settings.auto-optimise-store = true; # deduplicate with hardlinks, expensive. Alternative: nix-store --optimise
  #nix.optimize.automatic = true;           # periodic optimization
  nix.gc.automatic = true;
  nix.gc.dates     = "weekly";
  nix.gc.options   = "--delete-older-than 30d";
  nix.extraOptions = ''
    min-free = ${toString (1 * 1024 * 1024 * 1024)}
    max-free = ${toString (5 * 1024 * 1024 * 1024)}
  '';

  services.thermald.enable = lib.mkIf (config.nixpkgs.system == "x86_64-linux") true;

  # System fonts
  # Nice to have when X-forwading on headless machines
  fonts.fontDir.enable = true; # creates /run/current-system/sw/share/X11/fonts
  fonts.enableDefaultFonts = true; # dejavu, freefont, gyre, liberation, unifont, noto-fonts-emoji
  fonts.fonts = with pkgs; [
    noto-fonts # includes Cousine
    noto-fonts-cjk
    noto-fonts-emoji
    noto-fonts-extra
  ];

  # firewall
  services.fail2ban.enable = config.services.openssh.enable;
  networking.firewall.enable = true; # default
}