{
  config,
  pkgs,
  modulesPath,
  lib,
  factsGenerator,
  ...
}:

{
  system.stateVersion = "23.11";

  imports = [
    ./disko-config.nix
    ./hardware-configuration.nix
    ./hetzner.nix
  ];

  services.smartd.enable = true;

  # root password
  clan.core.facts.services.rootPassword = factsGenerator.password { name = "root"; };
  users.users.root.hashedPasswordFile =
    config.clan.core.facts.services.rootPassword.secret."password.root.pam".path;

  # todo : use component for that
  services.openssh.settings.PermitRootLogin = "prohibit-password";
  services.openssh.settings.PasswordAuthentication = false;

  boot.tmp.useTmpfs = true; # make /tmp a tmpfs (performance!)

  boot.supportedFilesystems = [ "zfs" ];
  clan.core.facts.services.zfs = factsGenerator.zfs { };
  networking.hostId = config.clan.core.facts.services.zfs.public."zfs.hostId".value;

  services.zfs = {
    autoSnapshot.enable = true;
    autoScrub.enable = true;
  };

  # Because of https://github.com/NixOS/nixpkgs/issues/361006#issuecomment-2598059564
  # The default max inotify watches is 8192.
  # Nowadays most apps require a good number of inotify watches,
  # the value below is used by default on several other distros.
  boot.kernel.sysctl = {
    "fs.inotify.max_user_instances" = lib.mkDefault 524288;
    "fs.inotify.max_user_watches" = lib.mkDefault 524288;
  };

}