{pkgs, ...}: {
  imports = [
    ./disko-config.nix
    ./hardware-configuration.nix
  ];

  # Bootloader.
  boot.loader.grub = {
    efiSupport = true;
    efiInstallAsRemovable = true;
  };

  networking.hostName = "m3-hermes";
  networking.hostId = "a1b2c3d4"; # TODO: Generate unique hostId
  networking.networkmanager.enable = true;
  time.timeZone = "Europe/Berlin";
  i18n.defaultLocale = "en_US.UTF-8";

  environment.systemPackages = with pkgs; [
    neovim
    git
    ghostty.terminfo
  ];

  services.openssh = {
    enable = true;
    settings = {
      PermitRootLogin = "no";
      PasswordAuthentication = false;
    };
  };

  security.sudo.extraRules = [
    {
      users = ["hermes"];
      commands = [
        {
          command = "/run/current-system/sw/bin/podman";
          options = ["NOPASSWD"];
        }
      ];
    }
  ];

  services.fstrim = {
    enable = true;
    interval = "weekly";
  };

  # Firewall: outbound only, SSH inbound
  networking.firewall = {
    enable = true;
    allowedTCPPorts = [22]; # SSH only
    allowedUDPPorts = [];
    allowPing = false;
  };

  system.stateVersion = "25.05";
}