{ config, lib, pkgs, ... }:

{
  # Essential system tools
  environment.systemPackages = with pkgs; [
    git
    git-crypt # used to store secrets in configuration
    git-lfs # not so essential, but required to clone config
    htop
    (unstable.neovim.override { vimAlias = true; }) # FIXME unstable is for python-msgpack 1.0; use stable once python-msgpack 1.0 is in stable
    tmux
  ];

  # Clean temporary files on boot
  boot.cleanTmpDir = true;

  # Disable firewall
  networking.firewall.enable = lib.mkDefault false;

  # Set zsh as default shell
  programs.zsh.enable = true;
  users.defaultUserShell = pkgs.zsh;

  # Sane swapping
  boot.kernel.sysctl."vm.swapiness" = 10;

  # Store logs persistently
  services.journald.extraConfig = "Storage = persistent";

  # Hard drive monitoring
  services.smartd.enable = true;
  # Network monitoring
  services.vnstat.enable = true;

  # Authentication/Encryption agents
  programs.gnupg.agent.enable = true;
  programs.ssh.startAgent = true;

  # NixOS version
  system.stateVersion = "20.03";

  nixpkgs.config = {
    # Explicitly allow unfree packages (rule of thumb: assets ok, code not ok)
    allowUnfreePredicate = (
      pkg: builtins.elem (lib.getName pkg) [
        "corefonts"
        "vista-fonts"
      ]
    );
    # Add unstable channel
    packageOverrides = pkgs: {
      unstable = import (builtins.fetchTarball "https://github.com/NixOS/nixpkgs-channels/archive/nixos-unstable.tar.gz") {
        config = config.nixpkgs.config;
      };
      nur = import (builtins.fetchTarball "https://github.com/nix-community/NUR/archive/master.tar.gz") {
        inherit pkgs;
      };
    };
  };
}