{ pkgs, lib, ... }: {
  users.users.root.openssh.authorizedKeys.keyFiles = [
    ../pubkeys/raito.keys
    ../pubkeys/bensmrs.keys
    ../pubkeys/tomate.keys
    ../pubkeys/jeltz.keys
  ];

  backups.directories = [ "/root" ];

  nix.package = lib.mkDefault pkgs.lix;

  users.motd = (builtins.readFile ./federez.motd);
  networking.firewall.logRefusedConnections = false;
  security.auditd.enable = true;

  services.nginx = {
    recommendedOptimisation = lib.mkDefault true;
    recommendedTlsSettings = lib.mkDefault true;
    recommendedProxySettings = lib.mkDefault true;
    recommendedGzipSettings = lib.mkDefault true;
    eventsConfig = ''
      worker_connections 8192;
    '';
    appendConfig = ''
      worker_rlimit_nofile 16384;
    '';
  };

  services.journald.extraConfig = "SystemMaxUse=512M";

  nix.gc = {
    automatic = true;
    persistent = true;
    dates = lib.mkDefault "daily";
    options = "--delete-older-than 30d";
  };

  boot.kernelParams = [
    "panic=30" "boot.panic_on_fail"
  ];

  boot.kernel.sysctl = {
    # Set default TCP congestion control algorithm
    "net.ipv4.tcp_congestion_control" = "bbr";

    # Enable ECN
    "net.ipv4.tcp_ecn" = 1;

    # Enable TCP fast open
    "net.ipv4.tcp_fastopen" = 3;
  };

  environment.systemPackages = [
    pkgs.htop
    pkgs.kitty.terminfo
  ];
}