{ config, pkgs, ... }:

{
  system.stateVersion = "25.05";

  imports =
    [
      ./modules/bootloader.nix
      ./modules/hardware-configuration.nix # Include the results of the hardware scan.
      ./modules/networking.nix
      ./modules/users.nix
      ./modules/audio.nix
      ./modules/printing.nix
      ./modules/localization.nix
      ./modules/x.nix
    ];

  nix.settings.experimental-features = [ "nix-command" "flakes" ];

  programs.git.enable = true;
  programs.firefox.enable = true;

  nixpkgs.config.allowUnfree = true;

  environment.systemPackages = with pkgs; [ neovim ];

  services.spice-vdagentd.enable = true;
  services.openssh = {
    enable = true;
    startWhenNeeded = true;
    settings = {
      ## hardening
      PermitRootLogin = "no";
      MaxAuthTries = 3;
      LoginGraceTime = "1m";
      PasswordAuthentication = false;
      PermitEmptyPasswords = false;
      ChallengeResponseAuthentication = false;
      KerberosAuthentication = false;
      GSSAPIAuthentication = false;
      X11Forwarding = false;
      PermitUserEnvironment = false;
      AllowAgentForwarding = false;
      AllowTcpForwarding = false;
      PermitTunnel = false;
      ## sshd_config defaults on Arch Linux
      KbdInteractiveAuthentication = false;
      UsePAM = true;
      PrintMotd = false;
    };
  };
}