{
  config,
  pkgs,
  lib,
  inputs,
  ...
}:
with lib;
{
  boot.tmp.cleanOnBoot = mkDefault true;
  boot.tmp.useTmpfs = mkDefault true;

  services.logrotate.enable = true;
  # NOTE: mostly useless on a server, and CPU intensive.
  documentation = {
    enable = mkDefault true;
    dev.enable = mkDefault false;
    doc.enable = mkDefault true;
    info.enable = mkDefault false;
    man.enable = mkDefault true;
    nixos.enable = mkDefault false;
  };
  programs.vim.defaultEditor = mkDefault true;
  programs.vim.enable = mkDefault true;
  environment.variables = {
    EDITOR = "vim";
    NIXPKGS_CONFIG = mkForce "";
    PAGER = "less -R";
    SYSTEMD_LESS = "FKMRX";
    # Setting TZ= avoids a lot of useless syscalls reading /etc/localtime
    # but requires to restart the session to change the time zone for all programs.
    TZ = lib.mkDefault (if config.time.timeZone != null then config.time.timeZone else "Europe/Paris");
  };
  home-manager.users.root = {
    imports = [
      ../../home-manager/options.nix
      ../../home-manager/profiles/essential.nix
    ];
    services.gpg-agent.pinentryPackage = pkgs.pinentry-curses;
  };
  nix = {
    settings.auto-optimise-store = mkDefault true;
    gc.automatic = mkDefault true;
    gc.dates = mkDefault "weekly";
    gc.options = mkDefault "--delete-older-than 7d";
    nixPath = mkForce [ ];
    # Pin the rev to the revision of the public Nixpkgs that the system was built from.
    # This is the version which will be locked by flakes using flake:nixpkgs
    #registry.nixpkgs = mkDefault { flake = inputs.nixpkgs; };
    registry.nixpkgs = {
      from = {
        id = "nixpkgs";
        type = "indirect";
      };
      to = {
        owner = "NixOS";
        repo = "nixpkgs";
        inherit (inputs.nixpkgs) rev;
        # May be overriden by nixos/modules/installer/cd-dvd/channel.nix
        type = mkDefault "github";
      };
    };
    package = pkgs.nixVersions.stable;
    settings.experimental-features = [
      "nix-command"
      "flakes"
    ];
  };
  security.lockKernelModules = false;
  services.journald = {
    extraConfig = ''
      Compress=true
      MaxRetentionSec=1month
      Storage=persistent
      SystemMaxUse=100M
    '';
  };
  # none is the recommended elevator for SSD, whereas HDD could use mq-deadline.
  services.udev.extraRules = ''
    ACTION=="add|change", KERNEL=="sd[a-z][0-9]*", ATTR{../queue/rotational}=="0", ATTR{../queue/scheduler}="none"
    ACTION=="add|change", KERNEL=="nvme[0-9]*n[0-9]*p[0-9]*", ATTR{../queue/rotational}=="0", ATTR{../queue/scheduler}="none"
  '';
  systemd.oomd = {
    enable = mkDefault true;
    enableRootSlice = mkDefault true;
    enableSystemSlice = mkDefault true;
    enableUserSlices = mkDefault true;
  };
  systemd.services.sshd = {
    serviceConfig = {
      ManagedOOMPreference = "omit";
    };
  };
  /*
    system.nixos.versionSuffix = ".${
    substring 0 8 (inputs.self.lastModifiedDate or inputs.self.lastModified)}.${
    inputs.self.shortRev or "dirty"}";
    system.nixos.revision = mkIf (inputs.self ? rev) inputs.self.rev;
  */
  # Let 'nixos-version --json' know about the Git revision of this flake.
  system.configurationRevision = mkIf (inputs.self ? rev) inputs.self.rev;
  /*
    system.configurationRevision =
    if inputs.self ? rev
    then inputs.self.rev
    else throw "Refusing to build from a dirty Git tree!";
  */
  users.mutableUsers = false;
}