{
  config,
  lib,
  modulesPath,
  machine,
  ...
}: {
  age.secrets.secret2.file = ../../secrets/secret2.age;
  boot.tmp.cleanOnBoot = true;
  boot.loader.grub.devices = ["nodev"];
  environment.persistence."/nix/persist" = {
    enable = true;
    hideMounts = true;
    directories = [
      "/var/log"
      "/var/lib/nixos"
      "/var/lib/systemd/coredump"
      "/etc/NetworkManager/system-connections"
    ];
    files = [
      "/etc/machine-id"
      "/etc/ly/save.txt"
    ];
    users."mtgmonkey" = {
      directories = [
        ".local/share/zoxide"
        ".ssh"
      ];
      files = [
        ".bash_history"
        ".brush_history"
      ];
    };
  };
  i18n.defaultLocale = "de_DE.UTF-8";
  networking = {
    dhcpcd.enable = true;
    firewall = {
      enable = true;
      allowedTCPPorts = [80 443];
      allowedUDPPorts = [80 443];
    };
    hostName = lib.strings.removePrefix "_" machine.hostname;
    domain = "";
    useDHCP = true;
  };
  nix.settings = {
    experimental-features = [
      "nix-command"
      "flakes"
    ];
    allow-import-from-derivation = true;
  };
  programs.noshell.enable = true;
  services.openssh = {
    enable = true;
    allowSFTP = false;
    ports = [5522];
    settings = {
      PermitRootLogin = "no";
      PasswordAuthentication = false;
      KbdInteractiveAuthentication = true;
    };
    extraConfig = ''
      AllowTcpForwarding no
      AllowAgentForwarding no
      MaxAuthTries 3
      MaxSessions 4
      TCPKeepAlive no
    '';
  };
  system.stateVersion = "26.05";
  time.timeZone = "Europe/Berlin";
  imports = [
    (modulesPath + "/profiles/qemu-guest.nix")
  ];
  boot.initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod"];
  boot.initrd.kernelModules = [];
  boot.kernelModules = [];
  boot.extraModulePackages = [];
  fileSystems."/" = {
    device = "none";
    fsType = "tmpfs";
    options = ["defaults" "size=30%" "mode=755"];
  };
  boot.initrd.postResumeCommands = lib.mkAfter ''
    mkdir /btrfs_tmp
    mount ${config.fileSystems."/".device} /btrfs_tmp
    if [[ -e /btrfs_tmp/root ]]; then
      mkdir -p /btrfs_tmp/old_roots
      timestamp=$(date --date="@$(stat -c %Y /btrfs_tmp/root)" "+%Y-%m-%-d_%H:$M:%S")
      mv /btrfs_tmp/root "/btrfs_tmp/old_roots/$timestamp"
    fi

    delete_subvolume_recursively() {
      IFS=$'\n'
      for i in $(btrfs subvolume list -o "$1" | cut -f 9- -d ' '); do
        delete_subvolume_recursively "/btrfs_tmp/$i"
      done
      btrfs subvolume delete "$1"
    }

    for i in $(find /btrfs_tmp/old_roots/ -maxdepth 1 -mtime +30); do
      delete_subvolume_recursively "$i"
    done

    btrfs subvolume create /btrfs_tmp/root
    umount /btrfs_tmp
  '';
  fileSystems."/nix" = {
    device = "/dev/disk/by-uuid/6b481376-9716-4559-946b-62097c2380f1";
    fsType = "ext4";
  };
  fileSystems."/efi" = {
    device = "systemd-1";
    fsType = "autofs";
  };
  swapDevices = [];
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}