{ config, pkgs, ... }:

{
  # Bootloader
  boot.loader.systemd-boot = {
    enable = true;
  };

  boot.loader.efi = {
    canTouchEfiVariables = true;
  };

  boot = {
    loader = {
      systemd-boot = {
        enable = true;
      };
    };
    efi = {
      enable = true;
      canTouchEfiVariables = true;
      espDevice = "/dev/sda2";
    };
    initrd.luks.devices.cryptroot.device = "/dev/sda2";
  }

  fileSystems."/" = {
    device = "/dev/mapper/root";
    fsType = "ext4";
  };

  swapDevices = [{ device = "/swapfile"; size = 8192; }];

  # Locales and timezone
  time.timeZone = "Europe/London";
  i18n.defaultLocale = "en_GB.UTF-8";

  # UFW Firewall
  networking.firewall = {
    enable = true;
    allowedTCPPorts = [ 22 ]; # Allow SSH
  };

  # Enable SSH
  services.openssh = {
    enable = true;
    settings = {
      PermitRootLogin = "no";
      PasswordAuthentication = false;
    };
  };
}