{config, ...}:
# This module defines common default settings that all OS builds should include.
let
  ports = import ../Cloud/Ports.nix;
in {
  boot.tmp.cleanOnBoot = true;
  networking.firewall.allowPing = true;
  networking.firewall.allowedTCPPorts = [ports.et];
  nix.settings.substituters = [
    "https://cache.nixos.org"
    "https://nix-community.cachix.org"
    "s3://omni-nix-cache?profile=digitalocean&scheme=https&endpoint=nyc3.digitaloceanspaces.com"
  ];
  nix.settings.trusted-public-keys = [
    "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
    "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
    "omni-cache:vyAhEFT7D8si2T1SjKHcg6BpU37Qj5klMDRagfNHpUI="
  ];
  nix.settings.experimental-features = ["nix-command" "flakes"];
  nix.gc.automatic = true;
  nix.gc.dates = "Sunday 02:15";
  nix.optimise.automatic = true;
  nix.optimise.dates = ["Sunday 02:30"];
  nix.settings.extra-sandbox-paths = [config.programs.ccache.cacheDir];
  nix.settings.trusted-users = ["ben"];
  programs.ccache.enable = true;
  programs.mosh.enable = true;
  programs.mosh.withUtempter = true;
  security.acme.acceptTerms = true;
  security.acme.defaults.email = "bsima@icloud.com"; # fallback to apple-hosted
  security.sudo.wheelNeedsPassword = false;
  services.clamav.daemon.enable = true; # security
  services.clamav.updater.enable = true; # security
  services.eternal-terminal.enable = true;
  services.fail2ban.enable = true; # security
  services.fail2ban.ignoreIP = [ports.bensIp]; # my home IP
  services.fail2ban.maxretry = 10;
  services.openssh.enable = true;
  services.openssh.openFirewall = true;
  services.openssh.settings.X11Forwarding = true;
  services.openssh.settings.PasswordAuthentication = false;
  services.openssh.settings.PermitRootLogin = "prohibit-password";
  system.autoUpgrade.enable = false; # 'true' breaks our nixpkgs pin
  zramSwap.enable = true;
}