{
  config,
  pkgs,
  lib,
  username,
  inputs,
  ...
}:
{
  imports = [
    ./common.nix
    ./hardware_laptop.nix

    inputs.nixos-hardware.nixosModules.framework-12th-gen-intel
    inputs.lanzaboote.nixosModules.lanzaboote
  ];

  # hardware.framework.laptop13.audioEnhancement = {
  #   enable = true;

  #   # seems audio doesn't work without this
  #   hideRawDevice = false;
  # };
  #

  # PST
  time.timeZone = lib.mkForce "America/Los_Angeles";

  services.tlp = {
    enable = true;
    settings = {
      CPU_SCALING_GOVERNOR_ON_AC = "powersave";
      CPU_SCALING_GOVERNOR_ON_BAT = "powersave";

      CPU_ENERGY_PERF_POLICY_ON_BAT = "power";
      CPU_ENERGY_PERF_POLICY_ON_AC = "default";

      PCIE_ASPM_ON_BAT = "powersupersave";
      PCIE_ASPM_ON_AC = "default";
      PLATFORM_PROFILE_ON_BAT = "low-power";
      PLATFORM_PROFILE_ON_AC = "balanced";
    };
  };

  services.greetd = {
    enable = true;
    settings = {
      default_session = {
        command = "${pkgs.greetd.tuigreet}/bin/tuigreet --time --cmd niri-session";
        user = username;
      };
    };
  };

  boot = {
    lanzaboote = {
      enable = true;
      # TODO: proper secrets management so this is not stored in nix store
      pkiBundle = "/var/lib/sbctl";
    };

    # Bootloader.
    loader = {
      /*
        Lanzaboote currently replaces the systemd-boot module.
        This setting is usually set to true in configuration.nix
        generated at installation time. So we force it to false
        for now.
      */
      systemd-boot.enable = lib.mkForce false;
    };
  };

  system.activationScripts = {
    # extract all my secureboot keys
    "secureboot-keys".text = ''
      #!/bin/sh
      rm -fr ${config.boot.lanzaboote.pkiBundle} || true
      mkdir -p ${config.boot.lanzaboote.pkiBundle}
      ${pkgs.gnutar}/bin/tar xf ${./secrets/secureboot.tar} -C ${config.boot.lanzaboote.pkiBundle}
      chown -R root:wheel ${config.boot.lanzaboote.pkiBundle}
      chmod -R 500 ${config.boot.lanzaboote.pkiBundle}
    '';
  };

  programs.gamescope = {
    enable = true;
    capSysNice = true;
  };

  programs.steam = {
    gamescopeSession.enable = true;
  };

  # this is a life saver.
  # literally no documentation about this anywhere.
  # might be good to write about this...
  # https://www.reddit.com/r/NixOS/comments/u0cdpi/tuigreet_with_xmonad_how/
  systemd.services.greetd.serviceConfig = {
    Type = "idle";
    StandardInput = "tty";
    StandardOutput = "tty";
    StandardError = "journal"; # Without this errors will spam on screen
    # Without these bootlogs will spam on screen
    TTYReset = true;
    TTYVHangup = true;
    TTYVTDisallocate = true;
  };

  system.activationScripts = {
    # FIX: https://github.com/NixOS/nix/issues/2982
    "profile-channel-dummy".text = ''
      #!/bin/sh
      mkdir -p /nix/var/nix/profiles/per-user/root/channels
    '';
  };

  # weird hack to get swaylock working? idk, if you don't put this here, password entry doesnt work
  # if I move to another lock screen program, i will have to replace `swaylock`
  security.pam.services.swaylock = { };

  # disable framework kernel module
  # https://github.com/NixOS/nixos-hardware/issues/1330
  hardware.framework.enableKmod = false;
}