{
  pkgs,
  inputs,
  ...
}:
{
  nix.settings.extra-sandbox-paths = [
    "/System/Library/Frameworks"
    "/System/Library/PrivateFrameworks"
    "/usr/lib"
    "/private/tmp"
    "/private/var/tmp"
    "/usr/bin/env"
  ];

  nix.settings.allowed-users = [
    "@admin"
    "@builder"
    "hauleth"
  ];

  # Simulate the systemd-resolved .localhost resolution
  services.dnsmasq = {
    enable = true;
    port = 35353;
    addresses = {
      localhost = "127.0.0.1";
    };
  };

  nix.registry.darwin.flake = inputs.darwin;

  # Enable TouchID PAM on macOS
  security.pam.services.sudo_local.touchIdAuth = true;

  system = {
    primaryUser = "hauleth";

    defaults.dock.autohide = true;

    keyboard = {
      enableKeyMapping = true;
      remapCapsLockToControl = true;
    };
  };
}