{
  lib,
  config,
  pkgs,
  ...
}:
with lib;
{
  imports = [
    ./users
    ./root.nix
  ];
  options.kat = {
    wireguardPubKey = mkOption {
      type = types.str;
    };
    path = mkOption {
      readOnly = true;
      type = types.path;
    };
    anywhere = lib.mkOption {
      type = lib.types.package;
      readOnly = true;
    };
  };
  config = {
    kat = {
      path = ./.;
      anywhere = pkgs.writeShellApplication {
        name = "anywhere-deploy_${name}.sh";
        runtimeInputs = [ pkgs.nixos-anywhere ];
        # --kexec ${nodes.kat-kexec.config.system.build.kexecTarball}/${nodes.kat-kexec.config.system.kexec-installer.name}-${pkgs.stdenv.hostPlatform.system}.tar.gz
        text = ''
          nixos-anywhere --store-paths ${config.system.build.diskoScriptNoDeps} ${config.system.build.toplevel} ${config.deployment.targetHost}
        '';
      };
    };
    boot.tmp.useTmpfs = true;
    networking = {
      useNetworkd = true;
      nftables.enable = true;
    };
    systemd.network.enable = true;
    nix = {
      nixPath = [
        "nixpkgs=${builtins.storePath pkgs.path}"
        "nixos=${builtins.storePath pkgs.path}"
      ];
      channel.enable = false;
      settings.nix-path = config.nix.nixPath;
      package = pkgs.lix;
    };
    services = {
      resolved.enable = !config.boot.isContainer;
      openssh.settings = {
        ClientAliveInterval = 60;
        ClientAliveCountMax = 1;
      };
    };
  };
}