{ config, pkgs, lib, ... }:

{
  # Basic sane defaults
  time.timeZone = "Europe/Stockholm";

  # SSH access (you’ll tweak users later)
  services.openssh.enable = true;
  services.openssh.settings = {
    PasswordAuthentication = false;
    KbdInteractiveAuthentication = false;
    PermitRootLogin = "no";
  };

  # Helpful tools on the server
  environment.systemPackages = with pkgs; [
    git
    curl
    jq
    vim
  ];

  # Firewall on by default
  networking.firewall.enable = true;

  # Nix settings (good defaults)
  nix.settings = {
    experimental-features = [ "nix-command" "flakes" ];
    auto-optimise-store = true;
  };
}