{ den, lib, lux, ... }:
let
  lingerForUsers = den.lib.perHost (
    { host, ... }:
    {
      nixos.users.users = lib.mapAttrs (_: _: {
        linger = true;
      }) host.users;
    }
  );
in
{
  den.aspects.orion = {
    includes = (with lux.services._; [
      caddy
      openssh
      vaultwarden
      radicale
      actual
      gitea
    ]) ++ [ lingerForUsers ];

    nixos =
      { pkgs, ... }:
      {
        environment.systemPackages = [
          pkgs.kitty
        ];

        networking = {
          firewall.enable = true;
          firewall.allowPing = false;
          nftables.enable = true;
        };

        # Use ssh authorization for sudo instead of password
        security.pam = {
          sshAgentAuth.enable = true;
          services.sudo.sshAgentAuth = true;
        };
      };
  };
}