{ config, pkgs, lib, inputs, ... }:
{
  nix = {
    settings.experimental-features = [ "nix-command" "flakes" ];
    settings.trusted-users = [ "@wheel" ];
  };

  networking = {
    hostName = "${config.services.vm.hostname}";
    firewall = {
      enable = true;
      allowedTCPPorts = [ 22 9002 ];
    };
  };

  time.timeZone = "Europe/Paris";
  console.keyMap = "fr";
  i18n.defaultLocale = "fr_FR.UTF-8";
  environment.sessionVariables = rec {
    TERM  = "xterm-256color";
  };

  nix.gc = {
    automatic = true;
    dates = "weekly";
    options = "--delete-older-than 7d";
  };

  security.sudo.wheelNeedsPassword = false;
  users = {
    users.tbarnouin = {
      isNormalUser = true;
      extraGroups = [ "wheel" ];
      shell = pkgs.zsh;
      openssh.authorizedKeys.keys = [
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAxccGxdfOFXeEClqz3ULl94ubzaJnk4pUus+ek18G0B tbarnouin@nixos"
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILy03fJvfWQtzHgAdH0OPwwcGzdggyuPkveystyrm5+I tbarnouin@gitea-actions-runner"
      ];
      initialPassword = "test";
    };
    users.root = {
      openssh.authorizedKeys.keys = [
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAxccGxdfOFXeEClqz3ULl94ubzaJnk4pUus+ek18G0B tbarnouin@nixos"
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILy03fJvfWQtzHgAdH0OPwwcGzdggyuPkveystyrm5+I tbarnouin@gitea-actions-runner"
      ];
    };
  };

  programs = {
    zsh = {
      enable = true;
      shellAliases = {
        ll = "ls -l";
        lla = "ls -lah";
      };
      ohMyZsh = {
        enable = true;
        plugins = [ "git" ];
        theme = "bira";
      };
    };
    tmux = {
      enable = true;
    };
  };

  nixpkgs.config.allowUnfree = true;
  environment = {
    localBinInPath = true;
      systemPackages = with pkgs; [
        vim
        bash
        wget
        curl
        git
        htop
        tree
        dig
        ncdu
        nmap
        iperf3
        netcat-openbsd
      ];
    };

  services = {
    openssh = {
      enable = true;
      settings.PasswordAuthentication = false;
      settings.KbdInteractiveAuthentication = false;
      settings.PermitRootLogin = "prohibit-password";
      hostKeys = [
        {
          path = "/var/ssh/ssh_host_ed25519_key";
          type = "ed25519";
        }
      ];
    };
    fail2ban = {
      enable = true;
      ignoreIP = [ "192.168.122.0/24" ];
    };
    rsyslogd = {
      enable = true;
    };
    prometheus = {
      exporters = {
        node = {
          enable = true;
          enabledCollectors = [ "systemd" ];
          port = 9002;
        };
      };
    };
  };

  system = {
    stateVersion = "24.05";
    activationScripts.ensure-ssh-key-dir.text = "mkdir -p /var/ssh";
  };
}