{ hostName, inputs, pkgs, config, options, lib, ... }:

{
  boot.kernelParams = [
    # No server/router runs any untrusted user code
    "mitigations=off"
    # Prevents automatic creation of interface bond0 by the kernel
    "bonding.max_bonds=0"
  ];
  boot.tmpOnTmpfs = true;
  # Includes wireguard
  boot.kernelPackages = pkgs.linuxPackages_latest;
  # Keep building
  boot.zfs.enableUnstable = true;

  # no persistent logs
  services.journald.extraConfig = ''
    RuntimeMaxUse=32M
    Storage=volatile
  '';

  # central logging
  services.journalbeat = {
    enable = true;
    tags = [ "zentralwerk" ];
    extraConfig = ''
      journalbeat.inputs:
        # Paths that should be crawled and fetched. Possible values files and directories.
        # When setting a directory, all journals under it are merged.
        # When empty starts to read from local journal.
        - paths: []
      journalbeat:
        seek_position: cursor
        cursor_seek_fallback: tail
        write_cursor_state: true
        cursor_flush_period: 5s
        clean_field_names: true
        convert_to_numbers: false
        move_metadata_to_field: journal
        default_type: journal
        kernel: true
      output.logstash:
        # Boolean flag to enable or disable the output module.
        enabled: true
        hosts: ["${config.site.net.serv.hosts4.logging}:5044"]
    '';
  };

  nix = {
    package = pkgs.nixFlakes;
    extraOptions = "experimental-features = nix-command flakes";
    registry = {
      nixpkgs.flake = inputs.nixpkgs;
    };
  };

  documentation = {
    enable = false;
    nixos.enable = false;
  };

  environment.systemPackages = with pkgs; [
    bmon
    bridge-utils
    conntrack-tools
    dhcpcd
    ethtool
    git
    iftop
    iperf
    iptables
    iptraf-ng
    iputils
    mtr
    psmisc
    screen
    speedtest-cli
    tcpdump
    traceroute
    vim
    wget
  ];

  networking.hostName = hostName;

  users.users.root.initialHashedPassword = "";

  system.stateVersion = "20.09";
}