{ lib, ... }:
with lib;
{
  imports = [
    ./ssh.nix
  ];

  # On a remote headless server: always reboot on a kernel panic,
  # to not have to physically go power cycle the server.
  # Which may happen for instance if the wrong ZFS password is used
  # but the boot is manually forced to continue.
  # Using kernelParams instead of kernel.sysctl
  # sets this up as soon as the initrd.
  boot.kernelParams = [ "panic=10" ];

  programs.gnupg.agent.pinentryFlavor = "curses";

  systemd = {
    # Always try to start all the units (default.target)
    # because systemd's emergency shell does not try to start sshd.
    # https://wiki.archlinux.org/index.php/systemd#Disable_emergency_mode_on_remote_host
    enableEmergencyMode = false;

    # See https://0pointer.de/blog/projects/watchdog.html
    # systemd will send a signal to the hardware watchdog at half
    # the interval defined here, so every 60s.
    # If the hardware watchdog does not get a signal for 120s,
    # it will forcefully reboot the system.
    watchdog.runtimeTime = mkDefault "120s";

    # Forcefully reboot if the final stage of the reboot
    # hangs without progress for more than 120s.
    # See https://utcc.utoronto.ca/~cks/space/blog/linux/SystemdShutdownWatchdog
    watchdog.rebootTime = mkDefault "120s";
  };
}