{
  config,
  lib,
  pkgs,
  ...
}: let
  inherit (lib) mkIf;
in {
  imports = [
    ./boot.nix
    ./coredump.nix
    ./services.nix
    ./ssh.nix
  ];

  networking.modemmanager.enable = false;

  nix.settings.allowed-users = ["@users"];
  nix.settings.trusted-users = ["@wheel"];

  environment.systemPackages = with pkgs; [
    (mkIf config.security.doas.enable doas-sudo-shim)
  ];

  security =
    lib.attrsets.recursiveUpdate {
      # doas.enable = true;
      polkit.enable = true;
      sudo-rs.enable = false;
      sudo.enable = false;

      wrappers = {
        newgrp.enable = false;
        pkexec.enable = false;
        sg.enable = false;
        su.enable = false;
      };
    } {
      sudo-rs.execWheelOnly = true;
      # pam.sshAgentAuth.enable = true;
      polkit.extraConfig = ''
        polkit.addRule(function(action, subject) {
          if (
            subject.isInGroup("users")
              && (
                action.id == "org.freedesktop.login1.reboot" ||
                action.id == "org.freedesktop.login1.reboot-multiple-sessions" ||
                action.id == "org.freedesktop.login1.power-off" ||
                action.id == "org.freedesktop.login1.power-off-multiple-sessions"
              )
            )
          {
            return polkit.Result.YES;
          }
        });
      '';
    };

  services.dbus.implementation = "broker";
  services.chrony = {
    enable = true;
    enableRTCTrimming = false;
    enableNTS = true;
    extraConfig = "rtcsync";
    extraFlags = ["-r" "-s"];
    servers = [
      "time.cloudflare.com iburst nts"
      "ntppool1.time.nl iburst nts"
      "nts.netnod.se iburst nts"
      "ptbtime1.ptb.de iburst nts"
      "time.dfm.dk iburst nts"
      "time.cifelli.xyz iburst nts"
    ];
  };
}