{ lib, ... }:

{
  nix.gc = {
    automatic = true;
    dates = "weekly";
    options = "--delete-older-than 7d";
  };

  time.timeZone = "America/Vancouver";

  i18n.defaultLocale = "en_US.UTF-8";

  nix.settings.experimental-features = "nix-command flakes";
  nix.settings.trusted-public-keys = lib.mkAfter [
    "local.yesod.ellie:3cAK/At9uVQq5kNrZco1cuthpgoPy7JfEvd+sBs80fk="
  ];

  networking.useDHCP = true;

  services.openssh = {
    enable = true;
    settings = {
      PasswordAuthentication = false;
      KbdInteractiveAuthentication = false;
      PermitRootLogin = "no";
      AllowUsers = [ "ellie" ];
    };
  };

  services.fail2ban = {
    enable = true;
    maxretry = 5;
    bantime = "1h";
    bantime-increment.enable = true;
    jails = {
      sshd.settings = {
        enabled = true;
        maxretry = 3;
      };
      nginx-botsearch.settings = {
        enabled = true;
        filter = "nginx-botsearch";
        backend = "systemd";
        maxretry = 2;
      };
      nginx-http-auth.settings = {
        enabled = true;
        filter = "nginx-http-auth";
        backend = "systemd";
      };
      nginx-bad-request.settings = {
        enabled = true;
        filter = "nginx-bad-request";
        backend = "systemd";
      };
    };
  };

  users.mutableUsers = true;
  security.sudo.wheelNeedsPassword = true;

  users.users.ellie = {
    openssh.authorizedKeys.keys = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOv7i4ChPUm+DmELG6uRx0co4quhQ+h7QB4fgcxcC3qx contact@elliehigh.com"
    ];

    isNormalUser = true;
    description = "Ellie";
    extraGroups = [ "wheel" ];
    initialPassword = "install";
  };

  system.autoUpgrade = {
    enable = true;
    allowReboot = true;
    dates = "04:00";
  };

  system.stateVersion = "25.05";
}