{
  pkgs,
  identities,
  primaryUser,
  jail-nix,
  ...
}:
let
  jail = jail-nix.lib.init pkgs;
in
{
  users.users.${primaryUser} = {
    uid = 1000;
    isNormalUser = true;
    extraGroups = [
      "wheel"
      "docker"
      "kvm"
    ];
    openssh.authorizedKeys.keys = identities.getAccessKeys { user = primaryUser; };
    shell = pkgs.zsh;
  };

  virtualisation.docker.enable = true;

  nixpkgs.config.allowUnfree = true; # for agy
  environment.systemPackages = with pkgs; [
    (jail "jailed-agy" pkgs.antigravity-cli (
      with jail.combinators;
      [
        network
        time-zone
        no-new-session
        mount-cwd

        (readwrite (noescape "~/.gemini"))
        # The above is a stow-controlled symlink to the following.
        (readwrite (noescape "~/dotfiles/legacy/.gemini"))

        (add-pkg-deps (
          with pkgs;
          [
            bashInteractive
            curl
            wget
            jq
            git
            which
            ripgrep
            gnugrep
            gnused
            gawkInteractive
            ps
            findutils
            gzip
            unzip
            gnutar
            diffutils
            coreutils
            procps

            python3
          ]
        ))
      ]
    ))
  ];

  networking = {
    hostName = "dia";
    domain = "home.arpa";
  };
}