{ lib, ... }:
{
  imports = [ ./disk.nix ];

  time.timeZone = "America/New_York";

  networking = {
    hostId = "c3798ccc";
    firewall = {
      enable = true;
      allowedTCPPorts = [ 80 ];
    };
    useNetworkd = true;
  };

  # Raspberry Pi 4 uses U-Boot / extlinux, not systemd-boot
  boot.useSystemdBoot = lib.mkForce false;

  sops = {
    defaultSopsFile = ./secrets.yaml;
    age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
  };

  services.tang.enable = true;

  system.stateVersion = "26.11";
}