{
  lib,
  ...
}:
{
  imports = [
    ./hardware-configuration.nix
    ./atticd.nix
  ];

  metacfg = {
    base.enable = true;
    nix.enable = true;
  };

  system.autoUpgrade = {
    enable = true;
    operation = "switch";
    allowReboot = true;
  };

  virtualisation = {
    docker.enable = true;
    podman.dockerCompat = false;
  };

  # Legacy BIOS boot (Hetzner cloud instance)
  boot.loader.systemd-boot.enable = lib.mkForce false;
  boot.loader.efi.canTouchEfiVariables = lib.mkForce false;
  boot.loader.grub.enable = true;

  security.tpm2.enable = false;
  security.tpm2.abrmd.enable = false;

  networking.wireless.enable = false;
  networking.firewall.allowedTCPPorts = [ 8080 ];
  networking.firewall.allowPing = true;

  powerManagement.cpuFreqGovernor = "ondemand";

  system.stateVersion = "25.11";
}