{ pkgs, config, ... }:
{
  # boot, networking, locale, stateVersion
  boot.loader.systemd-boot.enable     = true;
  boot.loader.efi.canTouchEfiVariables = true;
  boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
  boot.supportedFilesystems = [ "zfs" ];
  fileSystems."/boot".options = [ "umask=0077" ];

  nix.settings.experimental-features = [ "nix-command" "flakes" ];
  

  services.zfs.autoScrub.enable = true;
  services.zfs.trim.enable = true;

  networking = {
    firewall.enable = false;
    firewall.trustedInterfaces = [
	    "tailscale0"
    ];
    nameservers   = [ "192.168.4.3" "1.1.1.1" ];
    useDHCP       = true;
    firewall.allowedTCPPorts = [22 80 443 2456 2457 9000 9001 9002]; 
  };

  services.resolved = {
    enable      = true;
    dnssec      = "true";
    domains     = [ "~." ];
    fallbackDns = [ "192.168.4.3" "1.0.0.1#one.one.one.one" ];
    dnsovertls  = "true";
  };

  systemd.services.fancontrol = {
    enable = true;
    description = "Fan speed control";
    serviceConfig = {
      ExecStart = "${pkgs.lm_sensors}/bin/fancontrol";
      Restart = "always";
    };
    wantedBy = [ "multi-user.target" ];
  };

  environment.variables.EDITOR = "neovim";

  time.timeZone     = "America/New_York";
  i18n.defaultLocale = "en_US.UTF-8";

  system.stateVersion = "24.11";
}