{ config, lib, pkgs, ... }:
let
  # Taken from https://nixos.wiki/wiki/Overlays
  overlaysCompat = pkgs.writeTextFile {
    name = "overlays-compat";
    destination = "/overlays.nix";
    text = ''
      self: super:
      with super.lib;
      let
        # Load the system config and get the `nixpkgs.overlays` option
        overlays = (import <nixpkgs/nixos> { }).config.nixpkgs.overlays;
      in
        # Apply all overlays to the input of the current "main" overlay
        foldl' (flip extends) (_: super) overlays self
    '';
  };
in
{
  # Options that affect multiple modules
  options.sbruder = {
    full = lib.mkOption {
      type = lib.types.bool;
      description = ''
        Whether to build the full system. If disabled, the system closure will
        be smaller, but some features will not be available.
      '';
      default = true;
    };
    gui.enable = lib.mkEnableOption "gui";
    games.enable = lib.mkEnableOption "games";
  };

  # All modules are imported but non-essential modules are activated by
  # configuration options
  imports = [
    ../pkgs/modules.nix
    ./cups.nix
    ./docker.nix
    ./fonts.nix
    ./grub.nix
    ./gui.nix
    ./initrd-ssh.nix
    ./libvirt.nix
    ./locales.nix
    ./media-proxy.nix
    ./network-manager.nix
    ./office.nix
    ./prometheus/node_exporter.nix
    ./pubkeys.nix
    ./pulseaudio.nix
    ./restic.nix
    ./secrets.nix
    ./ssh.nix
    ./tools.nix
    ./udev.nix
    ./unfree.nix
    ./wireguard
  ];

  config = {
    # Essential system tools
    environment.systemPackages = with pkgs; [
      git
      git-crypt # used to store secrets in configuration
      git-lfs # not so essential, but required to clone config
      htop
      tmux
      vim
    ];

    # Clean temporary files on boot
    boot.cleanTmpDir = true;

    # Set zsh as default shell
    programs.zsh.enable = true;
    users.defaultUserShell = pkgs.zsh;

    # command-not-found does not work without channels
    programs.command-not-found.enable = false;

    # Sane swapping
    boot.kernel.sysctl."vm.swapiness" = 10;

    # Store logs persistently
    services.journald.extraConfig = "Storage = persistent";

    # Hard drive monitoring
    services.smartd.enable = true;
    # Network monitoring
    services.vnstat.enable = true;

    # Authentication/Encryption agents
    programs.gnupg.agent.enable = true;
    programs.ssh.startAgent = true;

    # When this is set to true (default), routing everything through a
    # wireguard tunnel does not work.
    networking.firewall.checkReversePath = "loose";

    nix = {
      nixPath = [
        "/var/src" # pinned nixpkgs and configuration
        "nixpkgs=/var/src/nixpkgs" # for nix run
        "nixpkgs-overlays=${overlaysCompat}"
      ];
      # Make sudoers trusted nix users
      trustedUsers = [ "@wheel" ];

      # On-the-fly optimisation of nix store
      autoOptimiseStore = true;
      # Keep output of derivations with gc root
      extraOptions = ''
        keep-outputs = true
        keep-derivations = true
      '';

      # Make nix build in background less noticeable
      daemonIONiceLevel = 5; # 0-7
    };
    systemd.services.nix-daemon.serviceConfig.CPUSchedulingPolicy = "batch";

    nixpkgs.config = {
      # Add unstable channel
      packageOverrides = pkgs: {
        unstable = import (import ../nix/sources.nix).nixpkgs-unstable {
          config = config.nixpkgs.config;
          overlays = config.nixpkgs.overlays;
        };
      };
    };

    nixpkgs.overlays = [
      (import ../pkgs)
    ];

    # Globally set Let’s Encrypt requirements
    security.acme = {
      acceptTerms = true;
      email = "security@sbruder.de";
    };
  };
}