{ pkgs, ... }:
{
    environment.sessionVariables.NIXOS_OZONE_WL = "1"; # hint electron apps to use wayland:

    nixpkgs.config.allowUnfree = true;
    security.polkit.enable = true;
    security.rtkit.enable = true;
    programs.zsh.enable = true;
    networking.firewall.enable = false;
    programs.nix-ld = {
        enable = true;
        libraries = with pkgs; [
            # Toolchain / C++ runtime
            stdenv.cc.cc          # libc, libgcc, libstdc++
            stdenv.cc.cc.lib      # sometimes needed explicitly

            # Compression / archive
            zlib
            zstd
            xz
            bzip2

            # Crypto / TLS / networking
            openssl
            curl
            libssh

            # Core system libs
            attr
            acl
            util-linux
            libsodium
            systemd               # libudev, libsystemd
            libxml2
            expat

            # Graphics / X11 / desktop
            xorg.libX11
            xorg.libXext
            xorg.libXfixes
            xorg.libXdamage
            xorg.libXcomposite
            xorg.libXrandr
            xorg.libxcb
            libdrm
            mesa
            libxkbcommon

            # Audio / desktop integration
            alsa-lib
            dbus
            cups

            # GLib / GTK stack (lots of GUI apps, Electron, etc.)
            glib
            gdk-pixbuf
            pango
            cairo
            atk
            gtk3

            # NSS/NSPR (Firefox, Electron, many apps)
            nspr
            nss
        ];
    };

    boot.loader.systemd-boot.enable = true;
    boot.loader.systemd-boot.memtest86.enable = true;
    boot.loader.systemd-boot.netbootxyz.enable = true;
    boot.loader.timeout = 1;
    boot.loader.efi.canTouchEfiVariables = true;
    systemd.settings.Manager.DefaultTimeoutStopSec = "10s";
    systemd.settings.Manager.DefaultTimeoutStartSec = "10s";
    systemd.settings.Manager.DefaultTimeoutAbortSec = "10s";
    systemd.settings.Manager.DefaultDeviceTimeoutSec = "10s";
    systemd.services.systemd-user-sessions.enable = false;
    boot.tmp.cleanOnBoot = true;

    powerManagement.enable = true;
    services.thermald.enable = true;
    services.pcscd.enable = true;
    services.fwupd.enable = true;
    services.gvfs.enable = true;
    services.fstrim.enable = true;
    services.openssh = {
        enable = true;
        settings = {
            PermitRootLogin = "no";
            PasswordAuthentication = false;
        };
    };

    fonts.packages = with pkgs; [
        noto-fonts
        noto-fonts-cjk-sans
        noto-fonts-color-emoji
        iosevka
        roboto
        font-awesome
        jetbrains-mono
        nerd-fonts.fira-code
        nerd-fonts.ubuntu
        nerd-fonts.zed-mono
    ];

    environment.systemPackages = with pkgs; [
        virtiofsd
        wget
        curl
        git
        lm_sensors
        wireguard-tools

        # Podman
        dive
        podman-tui
        docker-compose
    ];

    nix.gc = {
        automatic = true;
        dates = "daily";
        options = "--delete-older-than 2d";
    };

    virtualisation.containers.enable = true;
    virtualisation = {
        podman = {
            enable = true;
            dockerCompat = true;
            defaultNetwork.settings.dns_enabled = true;
        };
    };

    services.resolved = {
        enable = pkgs.lib.mkDefault true;
        fallbackDns = [ "1.1.1.1" "1.0.0.1" ];
    };
    networking.nameservers = pkgs.lib.mkDefault ["1.1.1.1" "1.0.0.1"];
}