{ hostName, inputs, pkgs, options, lib, ... }:

{
  boot.kernelParams = [
    # No server/router runs any untrusted user code
    "mitigations=off"
    # Prevents automatic creation of interface bond0 by the kernel
    "bonding.max_bonds=0"
  ];
  boot.tmpOnTmpfs = true;
  # Includes wireguard
  boot.kernelPackages = pkgs.linuxPackages_latest;

  # no persistent logs
  services.journald.extraConfig = ''
    RuntimeMaxUse=32M
    Storage=volatile
  '';

  nix = {
    package = pkgs.nixFlakes;
    extraOptions = "experimental-features = nix-command flakes";
    registry = {
      nixpkgs.flake = inputs.nixpkgs;
    };
  };

  documentation = {
    enable = false;
    nixos.enable = false;
  };

  environment.systemPackages = with pkgs; [
    vim screen git wget psmisc
    tcpdump iputils mtr traceroute bmon iptables conntrack-tools
    bridge-utils dhcpcd ethtool
  ];

  networking.hostName = hostName;

  users.users.root.initialHashedPassword = "";

  system.stateVersion = "20.09";
}