{
  config,
  lib,
  pkgs,
  this,
  ...
}:
with lib; let
  cfg = config.nixfiles.modules.profiles.headless;
in {
  config = mkIf cfg.enable {
    nixfiles.modules = {
      openssh.server.enable = true;
      endlessh-go.enable = true;

      fail2ban.enable = true;

      node-exporter.enable = true;
      promtail.enable = true;
    };

    # Pin version to prevent any surprises.
    boot.kernelPackages = pkgs.linuxPackages_5_15_hardened;

    nix = {
      gc = {
        automatic = true;
        dates = "weekly";
        options = "--delete-older-than 30d";
      };

      optimise = {
        automatic = true;
        dates = ["daily"];
      };
    };

    services.udisks2.enable = false;

    xdg.sounds.enable = false;
  };
}