{tree, ...}: {
  imports = with tree; [
    users.root

    profiles.sshd
    profiles.firewallAllow.ssh

    profiles.nixGC
    profiles.serverExtras
  ];

  home-manager.users.root = {
    imports = with tree; [home.base.zsh home.base.age-encryption home.dev.small];
  };

  networking.firewall = {
    enable = true;
    allowPing = true;
    checkReversePath = "loose";
  };

  # TODO: Better DNS setup
  services.resolved.enable = false;
  environment.etc."resolv.conf".text = ''
    nameserver 8.8.8.8
    nameserver 8.8.4.4
  '';

  boot.kernel.sysctl = {
    "net.core.default_qdisc" = "fq";
    "net.ipv4.tcp_congestion_control" = "bbr";
    "fs.inotify.max_user_watches" = 1024 * 64 * 16;
  };

  time.timeZone = "Europe/London";
}