{pkgs, ...}: {
  imports = [
    ./disko-config.nix
    ./hardware-configuration.nix
  ];

  # Bootloader.
  boot.loader.grub = {
    efiSupport = true;
    efiInstallAsRemovable = true;
  };

  networking.hostName = "m3-hermes";
  networking.hostId = "a1b2c3d4"; # TODO: Generate unique hostId
  networking.networkmanager.enable = true;
  time.timeZone = "Europe/Berlin";
  i18n.defaultLocale = "en_US.UTF-8";

  environment.systemPackages = with pkgs; [neovim git];

  services.openssh = {
    enable = true;
    settings = {
      PermitRootLogin = "no";
      PasswordAuthentication = false;
    };
  };

  services.fstrim = {
    enable = true;
    interval = "weekly";
  };

  # Firewall: outbound only, SSH inbound
  networking.firewall = {
    enable = true;
    allowedTCPPorts = [22]; # SSH only
    allowedUDPPorts = [];
    allowPing = false;
  };

  system.stateVersion = "25.05";
}