{
  config,
  lib,
  pkgs,
  ...
}:
{

  imports = [
    ./updater.nix
    ./ssh.nix
    ./builder.nix
    ./veritysetup.nix
  ];

  system.build.updatePackage = pkgs.runCommand "update-package" { } ''
    mkdir "$out"
    cd "$out"
    cp "${config.system.build.image}"/* .
    ${pkgs.coreutils}/bin/sha256sum * > SHA256SUMS
  '';

  systemd.repart.partitions = {
    "10-esp" = {
      Type = "esp";
      Format = "vfat";
      SizeMinBytes = "96M";
      SizeMaxBytes = "96M";
    };
    "20-root-verity-a" = {
      Type = "root-verity";
      SizeMinBytes = "64M";
      SizeMaxBytes = "64M";
    };
    "22-root-a" = {
      Type = "root";
      SizeMinBytes = "512M";
      SizeMaxBytes = "512M";
    };
    "30-root-verity-b" = {
      Type = "root-verity";
      SizeMinBytes = "64M";
      SizeMaxBytes = "64M";
      Label = "_empty";
      ReadOnly = 1;
    };
    "32-root-b" = {
      Type = "root";
      SizeMinBytes = "512M";
      SizeMaxBytes = "512M";
      Label = "_empty";
      ReadOnly = 1;
    };
    "40-home" = {
      Type = "home";
      Format = "btrfs";
      SizeMinBytes = "512M";
      Encrypt = "tpm2";
    };
  };

  boot.loader.grub.enable = false;
  boot.loader.efi.canTouchEfiVariables = true;
  boot.loader.systemd-boot.enable = true;
  boot.uki.name = "patos";

  boot.initrd = {
    compressor = "zstd";
    compressorArgs = [ "-8" ];

    luks.forceLuksSupportInInitrd = true;
    kernelModules = [
      "dm_mod"
      "dm_crypt"
    ] ++ config.boot.initrd.luks.cryptoModules;

    supportedFilesystems = {
      btrfs = true;
      erofs = true;
    };

    systemd.enable = true;
    systemd.repart.enable = true;
    systemd.services.systemd-repart = {
      after = lib.mkForce [ "sysroot.mount" ];
      requires = [ "sysroot.mount" ];
      serviceConfig.Environment = [
        "SYSTEMD_REPART_MKFS_OPTIONS_BTRFS=--nodiscard"
      ];
    };
  };

  system.etc.overlay.mutable = false;
  users.mutableUsers = false;

  boot.kernelParams = [
    "rootfstype=erofs"
    "rootflags=ro"
    "roothash=${config.system.build.verityRootHash}"
  ];

  fileSystems."/var" = {
    fsType = "tmpfs";
    options = [ "mode=0755" ];
  };

  # Required to mount the efi partition
  boot.kernelModules = [
    "vfat"
    "nls_cp437"
    "nls_iso8859-1"
  ];

  # Store SSH host keys on /home since /etc is read-only
  services.openssh.hostKeys = [
    {
      path = "/home/.ssh/ssh_host_ed25519_key";
      type = "ed25519";
    }
  ];

  environment.etc."machine-id" = {
    text = "";
    mode = "0755";
  };

  # Refuse to boot on mount failure
  systemd.targets."sysinit".requires = [ "local-fs.target" ];

  # Make sure home gets mounted
  systemd.targets."local-fs".requires = [ "home.mount" ];

}