{
  pkgs,
  lib,
  ...
}: {
  imports = [
    ./modules/flatpak.nix
  ];

  # NOTE: mkDefault is 1000 and mkForce is 50
  # NOTE: so this is like a second mkDefault
  security.sudo.wheelNeedsPassword = lib.mkDefault true;

  networking = {
    networkmanager.enable = true;

    nftables.enable = true;
    firewall.enable = lib.mkDefault true;

    # Use CloudFlare's WARP+ 1.1.1.1 DNS service
    nameservers = [
      "1.1.1.1"
      "1.0.0.1"
    ];
  };

  programs.nh = {
    enable = true;
    clean.enable = true;
    clean.extraArgs = "--keep-since 7d --keep 3";
    flake = "/home/me/flake"; # sets NH_OS_FLAKE variable for you
  };

  nix.settings = {
    # make wheel group trusted users allows my "ae" user
    # to import packages not signed by a trusted key
    # (aka super duper easier to remote deploy)
    trusted-users = ["root" "@wheel"];
    experimental-features = [
      "nix-command"
      "flakes"
      "pipe-operators"
    ];
    download-buffer-size = 524288000; # 500 MiB
  };

  time.timeZone = lib.mkDefault "Australia/Brisbane";

  i18n.defaultLocale = lib.mkDefault "en_US.UTF-8";
  console = {
    font = "Lat2-Terminus16";
    keyMap = "us";
  };

  users.defaultUserShell = pkgs.bash;

  environment.systemPackages = with pkgs; [
    git
    vim
    wget
    tree
  ];
}