{ pkgs, config, ... }: {
  config = {
    services.openssh.enable = true;
    services.avahi = { enable = true; nssmdns4 = true; };

    sops.defaultSopsFile = ./secrets/encrypted_secrets.yaml;
    sops.defaultSopsFormat = "yaml";

    sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];

    environment.systemPackages = with pkgs; [
      home-manager
      bash
      busybox
      git
      eza
      sops
    ];

    security.sudo-rs = {
      enable = true;
      execWheelOnly = false;
      wheelNeedsPassword = false; # allows sudo without password for those in the wheel group
    };
  };
}