{
  lib,
  config,
  pkgs,
  modulesPath,
  ...
}: {
  imports = with lib.nixosModules; [
    (modulesPath + "/installer/cd-dvd/installation-cd-minimal.nix")
    sops
  ];

  sops = {
    gnupg.sshKeyPaths = [];
    age = {
      sshKeyPaths = [];
      keyFile = "/iso/key";
    };
    secrets = {
      root-password = {
        sopsFile = lib.secrets.users;
        neededForUsers = true;
      };
      user-password = {
        sopsFile = lib.secrets.users;
        neededForUsers = true;
      };
      home-ssid.sopsFile = lib.secrets.network-manager;
      home-psk.sopsFile = lib.secrets.network-manager;
    };
    templates.network-manager.content = ''
      home_ssid="${config.sops.placeholder.home-ssid}"
      home_psk="${config.sops.placeholder.home-psk}"
    '';
  };

  boot.extraModulePackages = with config.boot.kernelPackages; [
    rtl88xxau-aircrack
  ];

  networking = {
    hostName = "dk1-iso";
    wireless.enable = false;
    networkmanager = {
      enable = true;
      ensureProfiles = {
        profiles.home = {
          connection = {
            id = "home";
            type = "wifi";
          };
          ipv4 = {
            method = "manual";
            address1 = "192.168.0.200/24";
            gateway = "192.168.0.1";
            dns = "192.168.0.1";
          };
          wifi = {
            ssid = "$home_ssid";
            mode = "infrastructure";
          };
          wifi-security = {
            auth-alg = "open";
            key-mgmt = "wpa-psk";
            psk = "$home_psk";
          };
        };
        environmentFiles = [config.sops.templates.network-manager.path];
      };
    };
  };

  time.timeZone = "Europe/London";
  i18n.defaultLocale = "en_GB.UTF-8";
  console.keyMap = "uk";

  users = {
    mutableUsers = false;
    users = {
      root = {
        isSystemUser = true;
        hashedPasswordFile = config.sops.secrets.root-password.path;
        openssh.authorizedKeys.keys = with lib.sshKeys; [
          lp1.user
          lp2.user
        ];
      };
      user = {
        isNormalUser = true;
        extraGroups = ["wheel"];
        hashedPasswordFile = config.sops.secrets.user-password.path;
        openssh.authorizedKeys.keys = with lib.sshKeys; [
          lp1.user
          lp2.user
        ];
      };
      nixos.hashedPasswordFile = config.sops.secrets.user-password.path;
    };
  };

  services = {
    openssh = {
      enable = true;
      settings.PermitRootLogin = lib.mkForce "without-password";
    };
    getty = {
      helpLine = lib.mkForce "";
      autologinUser = lib.mkForce null;
    };
  };

  nixpkgs.overlays = [lib.overlays.pkgs];
  environment.systemPackages = with pkgs; [
    git
    my-vim
    nixos-anywhere
  ];

  nix.settings = {
    trusted-users = ["root"];
    experimental-features = [
      "nix-command"
      "flakes"
    ];
  };

  system.stateVersion = "24.11";
}