{
  config,
  machine,
  ...
}: {
  age.secrets.secret1.file = ../../secrets/secret1.age;
  boot.tmp.cleanOnBoot = true;
  boot.loader.grub.devices = ["nodev"];
  environment.persistence."/nix/persist" = {
    enable = true;
    hideMounts = true;
    directories = [
      "/var/log"
      "/var/lib/nixos"
      "/var/lib/systemd/coredump"
      "/etc/NetworkManager/system-connections"
    ];
    files = [
      "/etc/machine-id"
      "/etc/ly/save.txt"
    ];
    users."mtgmonkey" = {
      directories = [
        ".local/share/zoxide"
        ".ssh"
      ];
      files = [
        ".bash_history"
        ".brush_history"
      ];
    };
  };
  i18n.defaultLocale = "de_DE.UTF-8";
  networking = {
    dhcpcd.enable = true;
    firewall = {
      enable = true;
      allowedTCPPorts = [80 443];
      allowedUDPPorts = [80 443];
    };
    hostName = machine.hostname;
    domain = "";
  };
  nix.settings = {
    experimental-features = [
      "nix-command"
      "flakes"
    ];
    allow-import-from-derivation = true;
  };
  programs.noshell.enable = true;
  services.openssh = {
    enable = true;
    allowSFTP = false;
    ports = [5522];
    settings = {
      PermitRootLogin = "no";
      PasswordAuthentication = false;
      KbdInteractiveAuthentication = true;
    };
    extraConfig = ''
      AllowTcpForwarding no
      AllowAgentForwarding no
      MaxAuthTries 3
      MaxSessions 4
      TCPKeepAlive no
    '';
  };
  system.stateVersion = "26.05";
  time.timeZone = "Europe/Berlin";
  users.users."mtgmonkey" = {
    isNormalUser = true;
    description = "mtgmonkey";
    passwordFile = builtins.toString config.age.secrets.secret1.path;
    extraGroups = ["wheel"];
    openssh.authorizedKeys.keys = machine.pub-keys.ssh;
  };
}