{ ... }:
{
  imports = [ ./hardware-configuration.nix ];

  metacfg = {
    base.enable = true;
    gui.enable = true;
    nix-ld.enable = true;
    nix.enable = true;
    podman.enable = true;
    secureboot.enable = true;
    homeprinter.enable = true;
    user.extraGroups = [
      "docker"
      "dialout"
    ];
    tools = {
      direnv.enable = true;
    };
  };

  system.autoUpgrade = {
    enable = true;
    operation = "boot";
    allowReboot = false;
  };

  system.stateVersion = "23.11";

  services.resolved.enable = true;
  services.resolved.dnssec = "allow-downgrade";

  sops.age.sshKeyPaths = [ "/persist/ssh/ssh_host_ed25519_key" ];
  sops.secrets.backup-s3.sopsFile = ../../../.secrets/t15/backup-s3.yaml;
  sops.secrets.backup-pw.sopsFile = ../../../.secrets/t15/backup-s3.yaml;

  services.openssh.hostKeys = [
    {
      path = "/persist/ssh/ssh_host_ed25519_key";
      type = "ed25519";
    }
    {
      path = "/persist/ssh/ssh_host_rsa_key";
      type = "rsa";
      bits = 4096;
    }
  ];
}