{
  config,
  pkgs,
  lib,
  username,
  system,
  hostname,
  inputs,
  ...
}:
{
  imports = [
    ./declarative-nm.nix
    ./distrobox.nix
    ./vm.nix

    inputs.agenix.nixosModules.default
    inputs.nixos-hardware.nixosModules.common-pc-ssd
    inputs.chaotic.nixosModules.default
  ];

  nixpkgs.config.allowUnfreePredicate =
    pkg:
    builtins.elem (lib.getName pkg) [
      "steam"
      "steam-original"
      "steam-unwrapped"
      "steam-run"
    ];

  nix = {
    # optimize the store
    optimise.automatic = true;

    # enable flakes!
    settings.experimental-features = [
      "nix-command"
      "flakes"
    ];
  };

  # https://github.com/viperML/nh
  programs.nh = {
    enable = true;
    clean.enable = true;
    clean.extraArgs = "--keep-since 4d --keep 3";
  };

  # kernel options
  boot = {
    #cachyos-lto currently broken
    # kernelPackages = pkgs.linuxPackages_cachyos-lto;
    kernelPackages = pkgs.linuxPackages_latest;

    kernel.sysctl = {
      # dmesg shushhhhh
      "kernel.printk" = "2 4 1 7";
    };

    # Bootloader.
    loader = {
      systemd-boot.enable = true;
      efi.canTouchEfiVariables = true;

      timeout = 1;
    };

    initrd = {
      compressor = "zstd";
    };

    kernelModules = [
      "ip_tables"
      "iptable_nat"
      "msr"
    ];
  };

  environment.etc = {
    # override default nixos /etc/issue
    "issue".text = "";
  };

  services = {
    # fwupd for updating firmware
    fwupd = {
      enable = true;
      extraRemotes = [ "lvfs-testing" ];
    };

    # auto detect network printers
    avahi = {
      enable = true;
      nssmdns4 = true;
      openFirewall = true;
    };

    # Enable CUPS to print documents.
    printing = {
      enable = true;
      # disabled, build broken
      # drivers = with pkgs; [ hplip ];
    };

    # disable fprintd (doesn't compile, idk)
    fprintd.enable = false;

    # Making sure mullvad works on boot
    mullvad-vpn.enable = true;
  };

  # Set your time zone.
  time.timeZone = "America/New_York";

  security = {
    # lets use doas and not sudo!
    doas.enable = true;
    sudo.enable = false;
    # Configure doas
    doas.extraRules = [
      {
        users = [ username ];
        keepEnv = true;
        persist = true;
      }
    ];
  };

  age.identityPaths = [ "/home/${username}/.ssh/id_ed25519" ];

  # networking
  networking = import ./networking.nix { inherit hostname; };

  # Select internationalisation properties.
  i18n.defaultLocale = "en_US.UTF-8";

  i18n.extraLocaleSettings = {
    LC_ADDRESS = "en_US.UTF-8";
    LC_IDENTIFICATION = "en_US.UTF-8";
    LC_MEASUREMENT = "en_US.UTF-8";
    LC_MONETARY = "en_US.UTF-8";
    LC_NAME = "en_US.UTF-8";
    LC_NUMERIC = "en_US.UTF-8";
    LC_PAPER = "en_US.UTF-8";
    LC_TELEPHONE = "en_US.UTF-8";
    LC_TIME = "en_US.UTF-8";
  };

  # Enable Bluetooth
  hardware.bluetooth = {
    enable = true;
    powerOnBoot = true;

    # Enable experimental features for battery % of bluetooth devices
    settings.General.Experimental = true;
  };

  # Apply gtk themes by enabling dconf
  programs.dconf.enable = true;

  # Enable sound with pipewire.
  services.pulseaudio.enable = false; # pipewire >>>>>>> pulseaudio
  security.rtkit.enable = true;
  services.pipewire = {
    enable = true;
    alsa.enable = true;
    alsa.support32Bit = true;
    pulse.enable = true;
  };

  age.secrets.primary-password = {
    file = ./secrets/primary-password.age;
    path = "/etc/secrets/primary-password";
  };

  # Define my user account (the rest of the configuration if found in `~/.config/home-manager/...`)
  users.users.${username} = {
    isNormalUser = true;
    extraGroups = [
      "networkmanager"
      "wheel"
      "video"
      "camera"
      "adbusers"
    ];
    hashedPasswordFile = config.age.secrets.primary-password.path;
  };

  services.gvfs.enable = true;
  programs.gphoto2.enable = true;

  programs.adb.enable = true;

  # Enable thermal data
  services.thermald.enable = true;

  services.pcscd.enable = true;
  programs.gnupg.agent = {
    enable = true;
    pinentryPackage = pkgs.pinentry-curses;
    enableSSHSupport = false;
  };

  programs.steam = {
    enable = true;
    localNetworkGameTransfers.openFirewall = true; # Open ports in the firewall for Steam Local Network Game Transfers
    extraCompatPackages = with pkgs; [ proton-ge-bin ];
  };

  # System packages
  environment.systemPackages = with pkgs; [
    mullvad-vpn

    #secureboot ctl
    sbctl

    dmidecode

    (inputs.agenix.packages.${pkgs.system}.default.override { ageBin = "${pkgs.rage}/bin/rage"; })

    doas-sudo-shim

    glib
    usbutils
    libmtp
    man-pages
    man-pages-posix
  ];

  # wayland with electron/chromium applications
  environment.sessionVariables.NIXOS_OZONE_WL = "1";

  # https://nixos.wiki/wiki/Fish#Setting_fish_as_your_shell
  programs.fish.enable = true;
  programs.bash = {
    interactiveShellInit = ''
      if [[ $(${pkgs.procps}/bin/ps --no-header --pid=$PPID --format=comm) != "fish" && -z ''${BASH_EXECUTION_STRING} ]]
      then
        shopt -q login_shell && LOGIN_OPTION='--login' || LOGIN_OPTION=""
        exec ${pkgs.fish}/bin/fish $LOGIN_OPTION
      fi
    '';
  };

  system.stateVersion = "24.11";

  documentation.enable = true;
  documentation.man.enable = true;
  documentation.dev.enable = true;

}