{ pkgs, lib, ... }:
with lib; {

  boot = {
    growPartition = true;
    kernelParams = [ "console=ttyS0" "panic=1" "boot.panic_on_fail" ];
    initrd.kernelModules = [ "virtio_scsi" ];
    kernelModules = [ "virtio_pci" "virtio_net" ];
    loader = {
      grub.device = "/dev/vda";
      timeout = 0;
      grub.configurationLimit = 0;
    };
  };

  console = { font = "Lat2-Terminus16"; keyMap = "it"; };

  environment = {
    pathsToLink = [ "/share/zsh" ];
    systemPackages = with pkgs; [ tmux vim kitty ];
  };

  i18n.defaultLocale = "it_IT.UTF-8";

  programs = {
    gnupg.agent = { enable = true; enableSSHSupport = true; };
    zsh = { enable = true; syntaxHighlighting.enable = true; };
  };

  networking.hostName = "baldur";

  time.timeZone = "Europe/Rome";

  services = {
    avahi = {
      enable = true;
      openFirewall = true;
      nssmdns = true;
      publish = {
        enable = true;
        addresses = true;
        domain = true;
        userServices = true;
        workstation = true;
      };
      extraServiceFiles = {
        ssh = "${pkgs.avahi}/etc/avahi/services/ssh.service";
      };
    };
    fail2ban = {
      enable = true;
      bantime-increment.enable = true;
    };
    openssh = {
      enable = true;
      openFirewall = true;
      permitRootLogin = "prohibit-password";
      passwordAuthentication = false;
    };
  };

  users.users.bertof = {
    isNormalUser = true;
    extraGroups = [
      "audio"
      "input"
      "docker"
      "libvirtd"
      "network"
      "networkmanager"
      "usb"
      "video"
      "wheel"
    ];
    shell = pkgs.zsh;
  };

  networking.firewall = {
    enable = true;
    allowPing = true;
    # allowedTCPPorts = [ ];
    # allowedUDPPorts = [ ];
    extraCommands = ''iptables -t raw -A OUTPUT -p udp -m udp --dport 137 -j CT --helper netbios-ns'';
  };

  system.stateVersion = "22.11";
}