{
  pkgs,
  nixvim,
  user,
  agenix,
  ...
}: let
  sshKeys = import ../../shared/ssh-keys.nix;
in {
  imports = [
    agenix.nixosModules.default
  ];

  system.stateVersion = "25.11";

  time.timeZone = "UTC";

  nix = {
    gc = {
      automatic = true;
      dates = "weekly";
      options = "--delete-older-than 30d";
    };
    nixPath = ["nixos-config=/home/${user}/.local/share/src/nixos-config:/etc/nixos"];
  };

  virtualisation.docker = {
    enable = true;
    logDriver = "json-file";
  };

  services = {
    openssh = {
      enable = true;
      settings = {
        PermitRootLogin = "yes";
        PasswordAuthentication = false;
      };
    };
    tailscale.enable = true;
  };

  users.users = {
    ${user} = {
      isNormalUser = true;
      home = "/home/${user}";
      extraGroups = [
        "wheel"
        "sudo"
        "network"
        "systemd-journal"
        "docker"
      ];
      shell = pkgs.fish;
      openssh.authorizedKeys.keys = sshKeys.keys;
    };

    root = {
      openssh.authorizedKeys.keys = sshKeys.keys;
    };
  };

  security.sudo = {
    enable = true;
    extraRules = [
      {
        commands = [
          {
            command = "${pkgs.systemd}/bin/reboot";
            options = ["NOPASSWD"];
          }
        ];
        groups = ["wheel"];
      }
    ];
  };

  environment.systemPackages = with pkgs; [
    agenix.packages."${pkgs.system}".default
    inetutils
  ];

  home-manager = {
    users.${user} = {
      pkgs,
      config,
      lib,
      ...
    }: {
      _module.args = {inherit user;};
      imports = [
        nixvim.homeModules.nixvim
        ../base/home-manager
      ];
      home = {
        stateVersion = "25.11";
      };
    };
  };
}