{
  lib,
  adminUser,
  config,
  ...
}:
{
  imports = [
    ./disks.nix
    ./hardware-configuration.nix
    {
      home-manager.users.${adminUser.name} = {
        imports = [
          ./home.nix
          { home.stateVersion = "25.05"; }
        ];
      };
    }
  ];

  boot.loader.efi.canTouchEfiVariables = true;
  boot.loader.systemd-boot.enable = true;

  networking.hostName = "rivendell";
  networking.useDHCP = lib.mkDefault true;
  systemd.network.wait-online.anyInterface = lib.mkDefault config.networking.useDHCP;

  users.users.builder = {
    openssh.authorizedKeys.keys = [
      # my personal key
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINBkozy+X96u5ciX766bJ/AyQ3xm1tXZTIr5+4PVFZFi"
      # remote builder ssh key
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGFGxdplt9WwGjdhoYkmPe2opZMJShtpqnGCI+swrgvw"
    ];
    isNormalUser = true;
    group = "nogroup";
  };

  boot.kernelParams = [
    "ip=dhcp"
  ];

  boot.initrd.network = {
    enable = true;
    postCommands = "echo 'cryptsetup-askpass' >> /root/.profile";
    flushBeforeStage2 = true;
    ssh = {
      enable = true;
      port = 911;
      hostKeys = [
        "/etc/initrd/ssh_host_ed25519_key"
      ];
      authorizedKeys = [
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINBkozy+X96u5ciX766bJ/AyQ3xm1tXZTIr5+4PVFZFi"
      ];
    };
  };

  nix.settings.trusted-users = [ "builder" ];

  system.stateVersion = "23.11"; # Did you read the comment?
}