{
  flake,
  config,
  pkgs,
  lib,
  ...
}: {
  # disable NetworkManager and systemd-networkd -wait-online by default
  systemd.services.NetworkManager-wait-online.enable = lib.mkDefault false;
  systemd.services.systemd-networkd-wait-online.enable = lib.mkDefault false;

  networking.networkmanager = {
    # Enable networkmanager. REMEMBER to add yourself to group in order to use nm related stuff.
    enable = if config.programs.sway.enable then lib.mkDefault true else false;
    # not as stable as wpa_supplicant yet, also more trouble with 5 GHz networks
    #wifi.backend = "iwd";
  };

  networking.firewall.enable = true;

  # For rage encryption, all hosts need a ssh key pair
  services.openssh = {
    enable = true;
    allowSFTP = lib.mkDefault false;

    openFirewall = lib.mkDefault false;

    settings.PasswordAuthentication = lib.mkDefault false;
    settings.KbdInteractiveAuthentication = false;

    extraConfig = ''
      AllowTcpForwarding yes
      X11Forwarding no
      AllowAgentForwarding no
      AllowStreamLocalForwarding no
      AuthenticationMethods publickey
    '';
  };
}