{
  config,
  modulesPath,
  lib,
  pkgs,
  ...
}@args:
{
  imports = [
    ./bootstrap.nix
  ];

  users.mutableUsers = false;

  sops = {
    defaultSopsFile = ./secrets/secrets.yaml;
    defaultSopsFormat = "yaml";

    age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];

    secrets = { };
  };

  networking.firewall = {
    allowedTCPPorts = lib.mkForce [
      22
      80
      443
    ];
  };
}