{pkgs, ...}: let
  updateScript = pkgs.writeShellScriptBin "rebuild" ''
    #!/bin/sh
    nixos-rebuild switch --flake /etc/nixos#distrust
  '';
  tor-hostname = import ../helpers/tor-hostname.nix {inherit pkgs;};
in {
  environment.systemPackages = with pkgs; [vim btop git alejandra statix deadnix] ++ [updateScript tor-hostname];

  nix.settings.experimental-features = ["nix-command" "flakes"];

  boot.tmp.cleanOnBoot = true;
  zramSwap.enable = true;
  networking.hostName = "distrust";

  services = {
    openssh = {
      enable = true;
      ports = [292];
      settings.PasswordAuthentication = false;
    };
    fail2ban.enable = true;
    endlessh = {
      enable = true;
      port = 22;
      openFirewall = true;
    };
  };

  users.users.root.hashedPassword = "!";
  users.users.anon = {
    isNormalUser = true;
    extraGroups = ["wheel"];
    hashedPassword = "$6$GAyfgaTQgaBipAbb$gF/9YBh2ucVa/9vDQvEu9DVjSbsqdvSoXwA5RX0kP7.xdCfLqXhGBLlSXHg0e4rkLLd6zI1gRTWd4TfMjnnpS/";
    openssh.authorizedKeys.keys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHxah5pnxmk+P7HtwRsryDoAHZsDs5RcGP9IPCNg1KFe cardno:16_179_196"];
  };
  security.sudo.wheelNeedsPassword = true;

  systemd = {
    services.clear-var-log = {
      description = "Clear /var/log directory";
      serviceConfig = {
        Type = "oneshot";
        ExecStart = "${pkgs.coreutils}/bin/rm -rf /var/log/*";
        User = "root";
        Group = "root";
      };
    };
    timers.clear-var-log = {
      description = "Hourly timer to clear /var/log";
      wants = ["clear-var-log.service"];
      timerConfig = {
        OnCalendar = "hourly";
        Persistent = true;
        Unit = "clear-var-log.service";
      };
      wantedBy = ["timers.target"];
    };
  };

  system.stateVersion = "25.05";
}