{
  config,
  lib,
  pkgs,
  site_config,
  username,
  ...
}:
{
  # Shared timezone. Plain priority so it wins against srvos's mkDefault "UTC";
  # mreow overrides via lib.mkForce when travelling.
  time.timeZone = site_config.timezone;

  # Common Nix daemon settings. Host-specific overrides (binary cache substituters,
  # gc retention) live in the host's default.nix.
  nix = {
    optimise.automatic = true;

    gc = {
      automatic = true;
      dates = "weekly";
      # Default retention: override per-host via lib.mkForce if different.
      options = lib.mkDefault "--delete-older-than 30d";
    };

    settings = {
      experimental-features = [
        "nix-command"
        "flakes"
      ];
    };
  };

  # https://nixos.wiki/wiki/Fish#Setting_fish_as_your_shell
  # Login shells stay bash but immediately `exec fish` so fish is the effective shell
  # without breaking scripts that hardcode #!/bin/bash.
  programs.fish.enable = true;
  programs.bash = {
    interactiveShellInit = ''
      if [[ $(${pkgs.procps}/bin/ps --no-header --pid=$PPID --format=comm) != "fish" && -z ''${BASH_EXECUTION_STRING} ]]
      then
        shopt -q login_shell && LOGIN_OPTION='--login' || LOGIN_OPTION=""
        exec ${lib.getExe pkgs.fish} $LOGIN_OPTION
      fi
    '';
  };

  # doas replaces sudo on every host
  security = {
    doas.enable = true;
    sudo.enable = false;
    doas.extraRules = [
      {
        users = [ username ];
        keepEnv = true;
        persist = true;
      }
    ];
  };

  services.kmscon.enable = true;

  environment.systemPackages = with pkgs; [
    doas-sudo-shim
  ];

  hardware.enableRedistributableFirmware = true;
  hardware.cpu.amd.updateMicrocode = true;

  environment.etc = {
    # override default nixos /etc/issue
    "issue".text = "";
  };

  # for updating firmware
  services.fwupd = {
    enable = true;
    extraRemotes = [ "lvfs-testing" ];
  };
}