{
  config,
  pkgs,
  lib,
  inputs,
  ...
}:
with config.lyn.lib; {
  imports = [
    ./hardware-configuration.nix
    ./virtualization.nix
  ];
  lyn.kernel.latest.enable = true;
  lyn.profiles.base.enable = true;
  lyn.profiles.headless.enable = true;
  lyn.users.lyn.enable = true;
  lyn.users.ellie.enable = true;
  networking.hostName = "supernova";
  boot.loader.efi.canTouchEfiVariables = true;

  # this is overridden by the secureboot profile, still here so the system retains a bootloader in case secure boot profile is disabled:
  boot.loader.systemd-boot.enable = true;

  # Firmware updates:
  services.fwupd.enable = true;

  ##1##3##3##7##
  ## Security ##
  ##1##3##3##7##

  # Kernel hardening
  lyn.kernel.hardened.enable = true;
  ## Don't print any errors/logs to the console
  boot.consoleLogLevel = 0;

  # Secure boot
  lyn.profiles.secureboot.enable = true;

  # FDE + initrd stuff
  boot.kernelParams = ["ip=dhcp"];
  boot.loader.timeout = 2;
  boot.initrd = {
    availableKernelModules = ["r8169"];
    systemd.users.root.shell = "/bin/systemd-tty-ask-password-agent";
    secrets = {"/root/initrd-ssh-key" = "/root/initrd-ssh-key";};
    network = {
      enable = true;
      ssh = {
        enable = true;
        port = 2222;
        # WARNING: this key will be globally accessible through Nix store. Don't use the booted/decrypted systems host key here.
        hostKeys = [/root/initrd-ssh-key];
        # this includes the ssh keys of all users in the wheel group, but you can just specify some keys manually
        # authorizedKeys = [ "ssh-rsa ..." ];
        authorizedKeys = with lib;
          concatLists (mapAttrsToList (name: user:
            if elem "wheel" user.extraGroups
            then user.openssh.authorizedKeys.keys
            else [])
          config.users.users);
      };
    };
  };

  system.stateVersion = "24.05";
}