{
  config,
  lib,
  pkgs,
  ...
}:
{

  imports = [
    ./nix.nix
  ];

  time.timeZone = "America/Los_Angeles";

  # Don't require password for sudo
  security.sudo.wheelNeedsPassword = false;

  # Virtualization settings
  virtualisation.docker.enable = true;

  # Select internationalisation properties.
  i18n = {
    defaultLocale = "en_US.UTF-8";
  };

  boot.loader.systemd-boot.enable = true;
  boot.kernelPackages = pkgs.linuxPackages_latest;

  environment.systemPackages = with pkgs; [
    curl
    fd
    fish
    git
    htop
    jq
    mtr
    pciutils
    powertop
    ripgrep
    tcpdump
    traceroute
    vim
  ];

  boot.kernel.sysctl = {
    "net.ipv4.tcp_fastopen" = 3;
    "net.ipv4.tcp_tw_reuse" = 1;
  };

  networking = {
    firewall = {
      enable = false;
      allowPing = true;
      logRefusedConnections = false;
    };
    useNetworkd = lib.mkDefault true;
  };

  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.useDHCP = lib.mkDefault true;

  # Default to systemd-networkd usage.
  systemd.network.wait-online.anyInterface = lib.mkDefault config.networking.useDHCP;

  # Use systemd-resolved for DoT support.
  services.resolved = {
    enable = true;
    dnssec = "false";
    extraConfig = ''
      DNSOverTLS=yes
    '';
  };

  # Used by systemd-resolved, not directly by resolv.conf.
  networking.nameservers = [
    "8.8.8.8#dns.google"
    "1.0.0.1#cloudflare-dns.com"
  ];

  ## disable that slow "building man-cache" step
  documentation.man.generateCaches = lib.mkForce false;
}