{
  config,
  pkgs,
  lib,
  flake,
  ...
}:
{
  nixpkgs.config = lib.mkDefault {
    allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [ ];
    permittedInsecurePackages = [ "olm-3.2.16" ];
  };

  system.activationScripts.diff-closures = {
    text = ''
      if [[ -e /run/current-system ]]; then
        ${config.nix.package}/bin/nix store diff-closures \
          /run/current-system "$systemConfig" \
          --extra-experimental-features nix-command
      fi
    '';
    supportsDryActivation = true;
  };

  nix = {
    # Use default version alias for nix package
    package = pkgs.nix;
    gc.automatic = true;
    optimise.automatic = true;

    registry = {
      nixpkgs.flake = flake.inputs.nixpkgs;
      unstable.flake = flake.inputs.unstable;
      system.flake = flake.self;
    };

    settings = {
      # Improve nix store disk usage
      auto-optimise-store = true;
      # Prevents impurities in builds
      sandbox = true;
      # Give root and @wheel special privileges with nix
      trusted-users = [
        "root"
        "@wheel"
      ];
      # Allow only group wheel to connect to the nix daemon
      allowed-users = [ "@wheel" ];
    };

    # Generally useful nix option defaults
    extraOptions = lib.mkForce ''
      experimental-features = flakes nix-command
      min-free = 536870912
      keep-outputs = true
      keep-derivations = true
      fallback = true
    '';

    nixPath = [
      "nixpkgs=${flake.inputs.nixpkgs}"
      "nixos-config=${../../lib/compat/nixos}"
      "home-manager=${flake.inputs.home-manager}"
    ];
  };
}