{config, lib, pkgs, ... }: {
  programs.zsh.enable = true;
  programs.zsh.interactiveShellInit = "bindkey -e";
  programs.tmux.enable = true;

  orbekk.secrets.enable = true;

  users.users.root.openssh.authorizedKeys.keys = [
    "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCgvHMjYQ5Ty7Em2Seji6dvYhgQUIbyhiHdzRINYpiOUMuVA8wgJOV0ZggmFFTO5zfJ83m7E5nc/zMuBVHwkx1gJz5ic8YdO9eLIhymQn9R+9fyLA+g+h8uwTi7UlFmQp+My7MYYxdA2tet1wwgm39Yu49mxi8lARUgi4awXn5K/ZFy08GyjGia2E/YKx2gXPKhHsWFKWPO5u8ik0v8AFCliY2wXiG4jkZE2zI0gI5FUp66tpxkaOSZqreH+lVJw+S+GAJIqzGI99zqZsAdpr7m4WALZEYwj9D7/lattSG14CAjXxjqcMSsfi6fV0ZsF1O40eoZ9mNQpIvatXtL6HBSN3kuUfraQMeB8o5kbxwyXt2Fr5hMKtEGYlMv5uPqdn+yHcC51F3RkUxFJplOFwZ3Rh/AjLLMKo+vEtL9UjhTuYiSQ0ySunY5JbBVkJY4z3pLT9MOPnq+KIfBMFBI/eYE6yeMNTHxIFMDaNMFOxWc0SoBDhgZJX5eblYidt/YWMOEPbqJNCrWIzQwtDsiYsF9JS/3D5civwTP/oaASaiJWTAvluwbibMFAC1OSBFb20xM5gD0C1q05pxVMN3Ioy1P0CIvJMLWfQR1yrNbnmoGUGHeSA/gwaxqMg7G+P/SBIheDAYEu5fzXXgFgO3sI8JvIdc1NTJMmHktahb/ecG1MQ== cardno:000605483586"
  ];

  networking.networkmanager.unmanaged = [ "interface-name:wg*" ];
  networking.search = [ "nyc.orbekk.com" ];

  # TODO: replace with programs.neovim.enable
  nixpkgs.overlays = [
    (final: prev: {
      neovim = prev.neovim.override {
        viAlias = true;
        vimAlias = true;
      };
    })
  ];
  environment.variables.EDITOR = "${pkgs.neovim}/bin/nvim";

  # Select internationalisation properties.
  i18n.defaultLocale = "en_US.UTF-8";

  i18n.extraLocaleSettings = {
    LC_ADDRESS = "en_US.UTF-8";
    LC_IDENTIFICATION = "en_US.UTF-8";
    LC_MEASUREMENT = "en_US.UTF-8";
    LC_MONETARY = "en_US.UTF-8";
    LC_NAME = "en_US.UTF-8";
    LC_NUMERIC = "en_US.UTF-8";
    LC_PAPER = "en_US.UTF-8";
    LC_TELEPHONE = "en_US.UTF-8";
    LC_TIME = "en_US.UTF-8";
  };

  # nix.settings = {
  #   keep-outputs = true;
  #   keep-derivations = true;
  # };
  environment.pathsToLink = [
    "/share/nix-direnv"
  ];

  environment.systemPackages = with pkgs; [
    # Can be replaced with `programs.direnv.enable` after next nixos version.
    direnv nix-direnv
    starship
    cifs-utils
    inetutils # telnet
    bat
    bwm_ng
    clang
    coreutils
    direnv
    dnsutils
    binutils
    #emacs
    emacs-pgtk
    #pkgs.unstable.emacsNativeComp
    fd
    fzf
    git
    git-annex
    gitFull
    gnupg
    haskellPackages.hledger
    hledger
    htop
    iotop
    ledger
    moreutils
    mosh
    most
    neovim
    nix-index
    p7zip
    jq
    pass
    ripgrep
    rustup
    silver-searcher
    sqlite
    stow
    unrar
    unzip
    whois
    zoxide
    gnuplot
    (rWrapper.override {
      packages = with rPackages; [ data_table ggplot2 hms viridis lubridate ];
    })
  ];
  time.timeZone = "America/New_York";

  console.font = "ter-i32b";
  console.packages = [ pkgs.terminus_font ];

  services = {
    emacs.install = true;
    postgresql = { package = pkgs.postgresql_12; };
    openssh.settings.PasswordAuthentication = false;
    openssh.settings.KbdInteractiveAuthentication = false;
    fwupd.enable = true;
  };

  systemd.services.nix-gc.serviceConfig = {
    Nice = 19;
    IOSchedulingPriority = 7;
    IOSchedulingClass = "best-effort";
  };

  nix = rec {
    settings = {
      sandbox = lib.mkDefault true;
      cores = lib.mkDefault 0; # auto configure
      substituters = [
        "https://nix-community.cachix.org"
      ];
      trusted-public-keys = [
        "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
      ];
      auto-optimise-store = true;
    };
    gc.automatic = lib.mkDefault true;
    daemonCPUSchedPolicy = "idle";
    daemonIOSchedPriority = 10;
    package = pkgs.nixFlakes;
    extraOptions = ''
      experimental-features = nix-command flakes
    '';
  };

  services.emacs.package = pkgs.emacs-pgtk;
  services.emacs.enable = true;
  boot.tmp.cleanOnBoot = true;

  nixpkgs.config.allowUnfree = true;
  hardware.enableAllFirmware = true;
  hardware.enableRedistributableFirmware = true;
}