{
  lib,
  ...
}:
{
  imports = [
    ./hardware-configuration.nix
    ./atticd.nix
  ];

  metacfg = {
    base.enable = true;
    nix.enable = true;
  };

  system.autoUpgrade = {
    enable = true;
    operation = "switch";
    allowReboot = true;
  };

  virtualisation = {
    docker.enable = true;
    podman.dockerCompat = false;
  };

  # Legacy BIOS boot (Hetzner cloud instance)
  boot.loader.systemd-boot.enable = lib.mkForce false;
  boot.loader.efi.canTouchEfiVariables = lib.mkForce false;
  boot.loader.grub.enable = true;

  security.sudo.wheelNeedsPassword = false;

  security.tpm2.enable = false;
  security.tpm2.abrmd.enable = false;

  networking.wireless.enable = false;
  networking.useDHCP = false;
  networking.useNetworkd = true;
  systemd.network.networks."30-wan" = {
    matchConfig.Name = "enp1s0";
    networkConfig.DHCP = "ipv4";
    address = [ "2a01:4f9:c014:619::1/64" ];
    routes = [{ Gateway = "fe80::1"; }];
  };
  networking.firewall.allowedTCPPorts = [ 8080 ];
  networking.firewall.allowPing = true;

  powerManagement.cpuFreqGovernor = "ondemand";

  system.stateVersion = "25.11";
}