{ config, lib, pkgs, ... }:

{
  imports = [
    ./common.nix
  ];

  documentation.enable = false;

  fonts.fontconfig.enable = false;

  security = {
    acme = {
      acceptTerms = true;
      defaults = {
        email = "hostmaster@vimium.com";
        group = "nginx";
        webroot = "/var/lib/acme/acme-challenge";
      };
    };
    auditd.enable = true;
    audit = {
      enable = true;
      rules = [
        "-a exit,always -F arch=b64 -S execve"
      ];
    };
  };

  systemd = {
    enableEmergencyMode = false;

    sleep.extraConfig = ''
      AllowSuspend=no
      AllowHibernation=no
    '';

    watchdog = {
      runtimeTime = "20s";
      rebootTime = "30s";
    };
  };

  modules.networking.tailscale = {
    enable = true;
    restrictSSH = false;
  };
}