{  lib, pkgs, configLib, configVars, ... }:
{
  imports = [
      # Import core options
      ./hardware-configuration.nix
      ../common/core

      # Import optional options
#      ../common/optional/openssh

      # Create users for this host
      ../common/users/admin
  ];

  #virtualisation.virtualbox.guest.enable = true;
  virtualisation.libvirtd = {
    qemu = {
      package = pkgs.qemu_kvm; # only emulates host arch, smaller download
      swtpm.enable = true; # allows for creating emulated TPM
      ovmf.packages = [(pkgs.OVMF.override {
        secureBoot = true;
        tpmSupport = true;
      }).fd]; # or use pkgs.OVMFFull.fd, which enables more stuff
    };
  };
  #fileSystems."/boot".options = ["umask=0077"]; # Removes permissions and security warnings.
  #boot.loader.efi.canTouchEfiVariables = true;
  #boot.loader.grub.device = "/dev/vda"; 
  boot.loader.grub.enable = true;
#  boot.loader.systemd-boot = {
#    enable = true;
#    # we use Git for version control, so we don't need to keep too many generations.
#    # FIXME  lower this even more after testing complete
#    configurationLimit = lib.mkDefault 10;
#    # pick the highest resolution for systemd-boot's console.
#    consoleMode = lib.mkDefault "max";
#  };
  boot.initrd.systemd.enable = true;

  i18n.defaultLocale = "en_GB.UTF-8";
  console = {
    font = "Lat2-Terminus16";
    keyMap = "uk";
    useXkbConfig = false; 
  };


  networking = {
    hostName = "bootstrap";
    networkmanager.enable = true;
    enableIPv6 = false;
  };

  services = {
    qemuGuest.enable = true;
    openssh = {
      enable = true;
      ports = [22]; # FIXME: Make this use configVars.networking
      settings.PermitRootLogin = "yes";
      # Fix LPE vulnerability with sudo use SSH_AUTH_SOCK: https://github.com/NixOS/nixpkgs/issues/31611
      # this mitigates the security issue caused by enabling u2fAuth in pam
      authorizedKeysFiles = lib.mkForce ["/etc/ssh/authorized_keys.d/%u"];
    };
  };

  security.pam = {
    sshAgentAuth.enable = true;
    #FIXME the above is deprecated in 24.05 but we will wait until release
    #sshAgentAuth.enable = true;
    services = {
      sudo.u2fAuth = true;
    };
  };

  # ssh-agent is used to pull my private secrets repo from gitlab when deploying nix-config.
 # programs.ssh.startAgent = true;

  environment.systemPackages = builtins.attrValues {
    inherit(pkgs)
    wget
    curl
    git
    rsync;
  };


  nix.settings.experimental-features = [ "nix-command" "flakes" ];
  system.stateVersion = "23.11";
}