{
  config,
  pkgs,
  lib,
  username,
  system,
  ...
}:
{
  imports = [
    ./common.nix
    ./hardware_laptop.nix
  ];

  services.tlp = {
    enable = true;
    settings = {
      CPU_SCALING_GOVERNOR_ON_AC = "performance";
      CPU_SCALING_GOVERNOR_ON_BAT = "powersave";

      CPU_ENERGY_PERF_POLICY_ON_BAT = "power";
      CPU_ENERGY_PERF_POLICY_ON_AC = "performance";

      CPU_MIN_PERF_ON_AC = 0;
      CPU_MAX_PERF_ON_AC = 100;
      CPU_MIN_PERF_ON_BAT = 0;
      CPU_MAX_PERF_ON_BAT = 60;

      CPU_BOOST_ON_BAT = 0;
      START_CHARGE_THRESH_BAT0 = 90;
      STOP_CHARGE_THRESH_BAT0 = 90;
      RUNTIME_PM_ON_BAT = "auto";
    };
  };

  services = {
    #using btrfs, so lets scrub!
    btrfs.autoScrub = {
      enable = true;
      interval = "weekly";
      fileSystems = [ "/" ];
    };
  };

  services.greetd = {
    enable = true;
    settings = {
      default_session = {
        command = "${pkgs.greetd.tuigreet}/bin/tuigreet --time --cmd ${pkgs.niri}/bin/niri-session";
        user = "${username}";
      };
    };
  };

  boot = {
    lanzaboote = {
      enable = true;
      pkiBundle = "/etc/secureboot";
    };

    # Bootloader.
    loader = {
      /*
        Lanzaboote currently replaces the systemd-boot module.
        This setting is usually set to true in configuration.nix
        generated at installation time. So we force it to false
        for now.
      */
      systemd-boot.enable = lib.mkForce false;
    };

    kernelParams = [
      "mitigations=off"
    ];
  };

  # this is a life saver.
  # literally no documentation about this anywhere.
  # might be good to write about this...
  # https://www.reddit.com/r/NixOS/comments/u0cdpi/tuigreet_with_xmonad_how/
  systemd.services.greetd.serviceConfig = {
    Type = "idle";
    StandardInput = "tty";
    StandardOutput = "tty";
    StandardError = "journal"; # Without this errors will spam on screen
    # Without these bootlogs will spam on screen
    TTYReset = true;
    TTYVHangup = true;
    TTYVTDisallocate = true;
  };

  #weird hack to get swaylock working? idk, if you don't put this here, password entry doesnt work
  #if I move to another lock screen program, i will have to replace `swaylock`
  security.pam.services.swaylock = { };

  system.activationScripts = {
    # extract all my secureboot keys
    "secureboot-keys".text =
      let
        secureboot_path = "/etc/secureboot";
      in
      ''
        #!/bin/sh
        rm -fr ${secureboot_path} || true
        mkdir -p ${secureboot_path}
        ${pkgs.gnutar}/bin/tar xf /etc/nixos/secrets/secureboot.tar -C ${secureboot_path}
      '';
  };
}