{ config, pkgs, lib, inputs, ... }:
{
  imports = [
    ./cachix.nix
    ./profiles/locale-no.nix
    (if builtins.pathExists ./hardware-configuration.nix
      then ./hardware-configuration.nix # results of ‘nixos-generate-config
      else {}
    )
  ];

  nixpkgs.config.allowUnfree = true;
  nixpkgs.config.allowUnfreePredicate = (pkg: true);
  nixpkgs.config.nonfreeLicensing = true; # used by ffmpeg

  # 'nixos-rebuild switch --upgrade', by default daily with no reboot
  system.autoUpgrade.enable = true;
  #system.autoUpgrade.allowReboot = true; # reboot after a kernel (module) or initrd upgrade, consider also setting `rebootWindow`
  /** /
  # TODO: this doesn't work during 'nix eval' on a non-nixos machine
  system.autoUpgrade.flake = "/etc/nixos";
  system.autoUpgrade.flags = [
    "--recreate-lock-file" # fetch new inputs
    #"--commit-lock-file"   # commit new lock to local git repo
    # TODO: can i somehow first do a git pull --rebase --autostash with proper abort handling ?
    "-L"                   # print build logs
  ];
  #assertions = [
  #  { assertion = builtins.pathExists "/etc/nixos/flake.nix"; message = "You have yet to test systems without a flake in /etc/nixos"; }
  #];
  /**/
  # TODO: make /etc/nixos a symlink to the in-store flake? - bad idea, horrible error recovery
  # TODO: make /etc/nixos a checkout of repo?
  # TODO: update only nixpkgs and unstable
  system.autoUpgrade.flake = inputs.self.outPath; # a nix store path
  #system.autoUpgrade.flake = "github:pbsds/nix-config"; # TODO: use this instead?
  system.autoUpgrade.flags = [
    "--recreate-lock-file" # fetch new inputs
    "--no-write-lock-file" # no write new flakelock, as the in-store flake is read-only
    "-L"                   # print build logs
  ];
  environment.etc."current-system-flake".source = inputs.self; # the plan was to allow me to locate the new flake.lock, but alas https://github.com/NixOS/nix/issues/6895
  /**/

  environment.shells = with pkgs; [ bash zsh ];


  nix.settings.trusted-users = [ "root" ]; # default, but will stick around after a mergins with ./users
  nix.settings.auto-optimise-store = true; # deduplicate with hardlinks, expensive. Alternative: nix-store --optimise
  #nix.optimize.automatic = true;           # periodic optimization
  nix.gc.automatic = true;
  nix.gc.dates     = "weekly";
  nix.gc.options   = "--delete-older-than 30d";
  # TODO: can i make this non-string?
  nix.extraOptions = ''
    experimental-features = nix-command flakes
  '';

  # TODO: only if x86_64?
  services.thermald.enable = true;

  # firewall
  services.fail2ban.enable = config.services.openssh.enable;
  networking.firewall.enable = true; # default

}