{
  config,
  pkgs,
  lib,
  username,
  system,
  hostname,
  inputs,
  ...
}:
{
  imports = [
    ./declarative-nm.nix
    # ./vm.nix
    ./steam.nix
    ./networking.nix

    inputs.nixos-hardware.nixosModules.common-pc-ssd
    inputs.disko.nixosModules.disko
    inputs.lanzaboote.nixosModules.lanzaboote
  ];

  nixpkgs.config.allowUnfree = true;

  # allow overclocking (I actually underclock but lol)
  hardware.amdgpu.overdrive.ppfeaturemask = "0xFFF7FFFF";

  hardware.enableRedistributableFirmware = true;
  hardware.cpu.amd.updateMicrocode = true;

  services.greetd = {
    enable = true;
    settings = {
      default_session = {
        command = "${lib.getExe pkgs.greetd.tuigreet} --time --cmd niri-session";
        user = username;
      };
    };
  };

  system.activationScripts = {
    # FIX: https://github.com/NixOS/nix/issues/2982
    "profile-channel-dummy".text = ''
      #!/bin/sh
      mkdir -p /nix/var/nix/profiles/per-user/root/channels
    '';

    # extract all my secureboot keys
    # TODO! proper secrets management
    "secureboot-keys".text = ''
      #!/usr/bin/env sh
      rm -fr ${config.boot.lanzaboote.pkiBundle} || true
      mkdir -p ${config.boot.lanzaboote.pkiBundle}
      ${lib.getExe pkgs.gnutar} xf ${./secrets/secureboot.tar} -C ${config.boot.lanzaboote.pkiBundle}
      chown -R root:wheel ${config.boot.lanzaboote.pkiBundle}
      chmod -R 500 ${config.boot.lanzaboote.pkiBundle}
    '';
  };

  swapDevices = [ ];

  nix = {
    # optimize the store
    optimise.automatic = true;

    # enable flakes!
    settings.experimental-features = [
      "nix-command"
      "flakes"
    ];
  };

  # kernel options
  boot = {
    kernelPackages = pkgs.linuxPackages_latest;
    # kernelPackages = pkgs.linuxPackages;

    lanzaboote = {
      enable = true;
      # TODO: proper secrets management so this is not stored in nix store
      pkiBundle = "/var/lib/sbctl";
    };

    # Bootloader.
    loader = {
      efi.canTouchEfiVariables = true;

      timeout = 1;
      /*
        Lanzaboote currently replaces the systemd-boot module.
        This setting is usually set to true in configuration.nix
        generated at installation time. So we force it to false
        for now.
      */
      systemd-boot.enable = lib.mkForce false;
      systemd-boot.configurationLimit = 10;
    };

    initrd = {
      compressor = "zstd";
      availableKernelModules = [
        "xhci_pci"
        "thunderbolt"
        "nvme"
        "usbhid"
        "amdgpu"
      ];
    };

    kernelModules = [
      "kvm-amd"
      "ip_tables"
      "iptable_nat"
      "msr"
    ];
  };

  environment.etc = {
    # override default nixos /etc/issue
    "issue".text = "";
  };

  services = {
    # fwupd for updating firmware
    fwupd = {
      enable = true;
      extraRemotes = [ "lvfs-testing" ];
    };

    # auto detect network printers
    avahi = {
      enable = true;
      nssmdns4 = true;
      openFirewall = true;
    };

    # Enable CUPS to print documents.
    printing = {
      enable = true;
      drivers = with pkgs; [ hplip ];
    };

    # I don't want fingerprint login
    fprintd.enable = false;

    # Making sure mullvad works on boot
    mullvad-vpn.enable = true;
  };

  # EST
  time.timeZone = "America/New_York";

  security = {
    # lets use doas and not sudo!
    doas.enable = true;
    sudo.enable = false;
    # Configure doas
    doas.extraRules = [
      {
        users = [ username ];
        keepEnv = true;
        persist = true;
      }
    ];
  };

  # Select internationalisation properties.
  i18n.defaultLocale = "en_US.UTF-8";

  # Enable Bluetooth
  hardware.bluetooth = {
    enable = true;
    powerOnBoot = true;

    # Enable experimental features for battery % of bluetooth devices
    settings.General.Experimental = true;
  };

  # Apply gtk themes by enabling dconf
  programs.dconf.enable = true;

  # Enable sound with pipewire.
  services.pulseaudio.enable = false; # pipewire >>>>>>> pulseaudio
  security.rtkit.enable = true;
  services.pipewire = {
    enable = true;
    alsa.enable = true;
    alsa.support32Bit = true;
    pulse.enable = true;
  };

  # Define my user account (the rest of the configuration if found in `~/.config/home-manager/...`)
  users.users.${username} = {
    isNormalUser = true;
    extraGroups = [
      "networkmanager"
      "wheel"
      "video"
      "camera"
      "adbusers"
    ];
    hashedPasswordFile = "${./secrets/password-hash}";
  };

  services.gvfs.enable = true;
  programs.gphoto2.enable = true;

  programs.adb.enable = true;

  # Enable thermal data
  services.thermald.enable = true;

  services.pcscd.enable = true;
  programs.gnupg.agent = {
    enable = true;
    pinentryPackage = pkgs.pinentry-curses;
    enableSSHSupport = false;
  };

  # System packages
  environment.systemPackages = with pkgs; [
    mullvad-vpn

    #secureboot ctl
    sbctl

    dmidecode

    doas-sudo-shim

    glib
    usbutils
    libmtp
    man-pages
    man-pages-posix

    # needed for home-manager
    git
  ];

  # wayland with electron/chromium applications
  environment.sessionVariables.NIXOS_OZONE_WL = "1";

  # https://nixos.wiki/wiki/Fish#Setting_fish_as_your_shell
  programs.fish.enable = true;
  programs.bash = {
    interactiveShellInit = ''
      if [[ $(${pkgs.procps}/bin/ps --no-header --pid=$PPID --format=comm) != "fish" && -z ''${BASH_EXECUTION_STRING} ]]
      then
        shopt -q login_shell && LOGIN_OPTION='--login' || LOGIN_OPTION=""
        exec ${lib.getExe pkgs.fish} $LOGIN_OPTION
      fi
    '';
  };

  # port 53317 for localsend
  networking.firewall.allowedUDPPorts = [ 53317 ];
  networking.firewall.allowedTCPPorts = [ 53317 ];

  system.stateVersion = "25.05";
  nixpkgs.hostPlatform = "x86_64-linux";

  documentation.enable = true;
  documentation.man.enable = true;
  documentation.dev.enable = true;
}