{
  pkgs,
  lib,
  config,
  machineConfig,
  ...
}:

{

  options.common.profiles.base.enable = lib.mkEnableOption "base profile";

  config = lib.mkIf config.common.profiles.base.enable {
    boot.kernel.sysctl."kernel.sysrq" = lib.mkDefault 1;

    # make things more declerative
    services.userborn.enable = lib.mkDefault true;
    #users.mutableUsers = lib.mkForce false;

    networking = {
      hostId = builtins.substring 0 8 (builtins.hashString "sha256" machineConfig.machineName);
      hostName = machineConfig.machineName;
      domain = lib.mkDefault machineConfig.domain;

      useNetworkd = lib.mkDefault true;
      useDHCP = lib.mkDefault false;

      nftables.enable = lib.mkDefault true;
      firewall.enable = lib.mkDefault true;
    };

    hardware.enableRedistributableFirmware = true;

    common = {
      profiles = {
        amdCpu.enable = lib.mkDefault (machineConfig.hardware.cpuVendor == "amd");
        intelCpu.enable = lib.mkDefault (machineConfig.hardware.cpuVendor == "intel");
      };

      configure = {
        boot.enable = lib.mkDefault true;

        locale.enable = lib.mkDefault true;
        sops.enable = lib.mkDefault true;

        nix.enable = true;
      };

      services = {
        openssh.enable = true;
      };

      security = {
        nix.enable = lib.mkDefault true;
        kernel.enable = lib.mkDefault true;
        networking.enable = lib.mkDefault true;
      };

      programs = {
        shellUtilities.enable = lib.mkDefault true;
        systemUtilities.enable = lib.mkDefault true;
        networkUtilities.enable = lib.mkDefault true;

        fish.enable = lib.mkDefault true;
      };
    };

    programs = {
      command-not-found.enable = false; # Not usable without channels; use nix-index instead.
    };

    services = {
      dbus.implementation = "broker";
    };

    security.sudo.extraConfig = "Defaults lecture=\"never\""; # "We trust you have received the usual lecture from the local System Administrator."

    system = {
      stateVersion = lib.mkDefault "25.11";

      # thanks piegames (https://git.darmstadt.ccc.de/piegames/home-config/-/blob/master/modules/generic.nix#L84)
      activationScripts = {
        diff = {
          supportsDryActivation = true;
          text = ''
            ${pkgs.nvd}/bin/nvd --color=always --nix-bin-dir=${pkgs.nix}/bin diff "$(readlink /run/current-system)" "$systemConfig"
            # Ignore "failures" because these tools have weird exit codes
            ${pkgs.colordiff}/bin/colordiff --nobanner --fakeexitcode --color=always -ur -I '\/nix\/store' \
              -- "$(readlink /run/current-system)/activate" "$systemConfig/activate" | ${pkgs.gnugrep}/bin/grep -v "^Binary files" || true
            ${pkgs.colordiff}/bin/colordiff --nobanner --fakeexitcode --color=always -ur -I '\/nix\/store' \
              -x "os-release" -x "issue" \
              -- "$(readlink /run/current-system)/etc" "$systemConfig/etc" | ${pkgs.gnugrep}/bin/grep -v "^Binary files" || true
            ${pkgs.colordiff}/bin/colordiff --nobanner --fakeexitcode --color=always -ur -I '\/nix\/store' \
              -x "environment.d" \
              -x "hwdb.d" \
              -- "$(readlink /run/current-system)/systemd" "$systemConfig/systemd" | ${pkgs.gnugrep}/bin/grep -v "^Binary files" || true
          '';
        };
      };
    };
  };

}