{ config, lib, pkgs, modulesPath, ... }: {

  imports = [
    (modulesPath + "/profiles/minimal.nix")
    ./network.nix
  ];

  boot.kernel.minimalModules = true;

  # system.etc.overlay.mutable = true;
  # users.mutableUsers = true;

  users.users."admin" = {
    isNormalUser = true;
    linger = true;
    extraGroups = [ "wheel" ];
  };

  # perlless activation doesn't seem to support subuid / subgid yet
  environment.etc."subuid" = {
    text = ''
      admin:100000:65536
    '';
    mode = "0644";
  };

  environment.etc."subgid" = {
    text = ''
      admin:100000:65536
    '';
    mode = "0644";
  };

  security.doas.wheelNeedsPassword = false;

  services.openssh.enable = true;
  system.image.sshKeys.enable = true;
  system.image.sshKeys.keys = [
    "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIIHMAEZx02kbHrEygyPQYStiXlrIe6EIqBCv7anIkL0pAAAABHNzaDo= dln1"
    "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIJNOBFoU7Cdsgi4KpYRcv7EhR/8kD4DYjEZnwk6urRx7AAAABHNzaDo= dln2"
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKDx+7ZEJi7lUCAtoHRRIduJzH3hrpx4YS1f0ZxrJ+uW dln3"
  ];

  virtualisation.podman.enable = true;

  boot.kernel.sysctl = {
    "net.ipv4.ip_unprivileged_port_start" = 0;
  };

  networking.firewall.enable = false;

  services.resolved.extraConfig = ''
    DNSStubListener=no
  '';

}