{
  config,
  pkgs,
  inputs,
  lib,
  ...
}: {
  imports = [inputs.nixos-hardware.nixosModules.raspberry-pi-4 ../../tailscale];

  networking = {
    hostName = "homescreen";
    networkmanager = {enable = true;};
  };

  environment.systemPackages = with pkgs; [neovim htop btop atop];

  hardware = {
    raspberry-pi."4".fkms-3d.enable = true;

    enableRedistributableFirmware = true;
    deviceTree.filter = lib.mkForce "*rpi-*.dtb";
  };
  services = {
    fail2ban.enable = true;

    openssh = {
      enable = true;
      permitRootLogin = "prohibit-password";
      passwordAuthentication = false;
    };
    xserver = {
      enable = true;
      displayManager = {
        lightdm.enable = true;
        autoLogin.enable = true;
        autoLogin.user = "kiosk";
      };
      desktopManager.gnome.enable = true;
      libinput.enable = true;
    };
  };

  users = {
    mutableUsers = false;
    users.kiosk = {isNormalUser = true;};
    extraUsers.root.openssh.authorizedKeys.keys = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEo4R+6J3h6Ix3xWpOMdU7Es1/YxFchHw0c+kcCOJxFb cyryl@foureighty"
    ];
  };

  fileSystems = {
    "/" = {
      device = "/dev/disk/by-label/NIXOS_SD";
      fsType = "ext4";
      options = ["noatime"];
    };
    "/boot/firmware" = {
      device = "/dev/disk/by-label/FIRMWARE";
      fsType = "vfat";
      options = ["nofail" "noauto"];
    };
  };

  powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";

  security.allowUserNamespaces = true;

  time.timeZone = "Europe/London";
  system.stateVersion = "23.11";

  nix = {
    settings.auto-optimise-store = true;
    gc = {
      automatic = true;
      dates = "weekly";
      options = "--delete-older-than 30d";
    };
    # Free up to 1GiB whenever there is less than 100MiB left.
    extraOptions = ''
      min-free = ${toString (100 * 1024 * 1024)}
      max-free = ${toString (1024 * 1024 * 1024)}
    '';
  };
}