{
  self,
  config,
  pkgs,
  lib,
  ...
}:
{
  boot = {
    kernelPackages = pkgs.linuxPackages_latest;
    kernel.sysctl = {
      "net.ipv4.tcp_congestion_control" = "bbr";
      "net.ipv4.tcp_ecn" = 1;
      "net.ipv4.tcp_fastopen" = 3;
      "net.ipv4.tcp_tw_reuse" = 1;
    };
  };

  nix = {
    gc = {
      automatic = true;
      options = "--delete-older-than 14d";
    };

    optimise.automatic = true;

    extraOptions = ''
      tarball-ttl = 900
    '';

    package = pkgs.nixVersions.stable;

    settings = {
      trusted-substituters = [
        "https://cachix.cachix.org"
        "https://nixpkgs.cachix.org"
        "https://nix-community.cachix.org"
      ];
      trusted-public-keys = [
        "cachix.cachix.org-1:eWNHQldwUO7G2VkjpnjDbWwy4KQ/HNxht7H4SSoMckM="
        "nixpkgs.cachix.org-1:q91R6hxbwFvDqTSDKwDAV4T5PxqXGxswD8vhONFMeOE="
        "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
        "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
      ];
      trusted-users = [ "root" ];
      experimental-features = lib.mkDefault [
        "nix-command"
        "flakes"
      ];
    };
  };

  networking = {
    useNetworkd = true;
    # Used by systemd-resolved, not directly by resolv.conf.
    nameservers = [
      "8.8.8.8#dns.google"
      "1.0.0.1#cloudflare-dns.com"
    ];
    firewall = {
      enable = true;
      allowPing = true;
      logRefusedConnections = false;
    };
  };

  systemd.network = {
    enable = true;
  };

  services.resolved = {
    enable = true;
    dnssec = "false";
  };

  i18n = {
    defaultLocale = "en_US.UTF-8";
    supportedLocales = [
      "en_US.UTF-8/UTF-8"
    ];
  };

  time.timeZone = "America/Los_Angeles";

  users.motdFile = "/etc/motd";

  environment.etc.motd.text = ''
    Machine  ${config.networking.hostName}
     NixOS   ${config.system.nixos.release}
       @     ${self.shortRev or self.dirtyShortRev}
  '';

  ## disable that slow "building man-cache" step
  documentation.man.generateCaches = lib.mkForce false;

  users = {
    mutableUsers = false;
    users.root.openssh.authorizedKeys.keys = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINBkozy+X96u5ciX766bJ/AyQ3xm1tXZTIr5+4PVFZFi"
    ];
  };

  security.sudo.wheelNeedsPassword = false;

  environment.systemPackages = with pkgs; [
    bottom
    curl
    dysk
    fd
    fish
    git
    htop
    jq
    kitty.terminfo
    mtr
    pciutils
    powertop
    ripgrep
    tcpdump
    traceroute
    vim
    wireguard-tools
  ];
}