{
  config,
  lib,
  pkgs,
  hostname,
  username,
  eth_interface,
  service_configs,
  ...
}:
{
  imports = [
    ./hardware.nix
    ./services/jellyfin.nix
    ./services/caddy.nix
    ./services/quadlet.nix
    ./services/immich.nix
    ./services/gitea.nix
    ./services/minecraft.nix
  ];

  nix = {
    #garbage collection and cleanup stuff
    gc = {
      automatic = true;
      dates = "weekly";
      options = "--delete-older-than 7d";
    };

    #optimize the store
    optimise.automatic = true;

    #enable flakes!
    settings.experimental-features = [
      "nix-command"
      "flakes"
    ];
  };

  boot = {
    kernelPackages = pkgs.linuxPackages_6_10;

    supportedFilesystems = [ "zfs" ];
    zfs.extraPools = [ "tank" ];
    loader = {
      # Use the systemd-boot EFI boot loader.
      systemd-boot.enable = true;
      efi.canTouchEfiVariables = true;

      # 1 sec timeout
      timeout = 1;
    };

    initrd = {
      compressor = "zstd";
      compressorArgs = [ "-19" ];
    };
  };

  environment.etc = {
    "issue".text = "muffin server :3\n";
  };

  # Set your time zone.
  time.timeZone = "America/New_York";

  # Enable the OpenSSH daemon.
  services.openssh = {
    enable = true;
    settings = {
      PasswordAuthentication = false;
      PermitRootLogin = "no";
    };
  };

  #Intel GPU stuff
  nixpkgs.config.packageOverrides = pkgs: {
    vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; };
  };

  hardware.graphics = {
    enable = true;
    extraPackages = with pkgs; [
      intel-media-driver
      intel-vaapi-driver # previously vaapiIntel
      vaapiVdpau
      intel-compute-runtime # OpenCL filter support (hardware tonemapping and subtitle burn-in)
      vpl-gpu-rt # QSV on 11th gen or newer
    ];
  };

  #fwupd for updating firmware
  services.fwupd = {
    enable = true;
    extraRemotes = [ "lvfs-testing" ];
  };

  environment.systemPackages = with pkgs; [
    helix
    nixfmt-rfc-style

    lm_sensors
    bottom
    htop

    borgbackup
    smartmontools

    nil

    ripgrep

    intel-gpu-tools

    tmux
  ];

  services.zfs = {
    autoScrub.enable = true;
    autoSnapshot.enable = true;
  };

  systemd.services.no-rgb =
    let
      no-rgb = pkgs.writeScriptBin "no-rgb" ''
        #!/bin/sh
        NUM_DEVICES=$(${pkgs.openrgb}/bin/openrgb --noautoconnect --list-devices | ${pkgs.gnugrep}/bin/grep -E '^[0-9]+: ' | ${pkgs.coreutils}/bin/wc -l)

        for i in $(${pkgs.coreutils}/bin/seq 0 $(($NUM_DEVICES - 1))); do
          ${pkgs.openrgb}/bin/openrgb --noautoconnect --device $i --mode direct --color 000000
        done
      '';
    in
    {
      description = "disable rgb";
      serviceConfig = {
        ExecStart = "${no-rgb}/bin/no-rgb";
        Type = "oneshot";
      };
      wantedBy = [ "multi-user.target" ];
    };

  services.hardware.openrgb = {
    enable = true;
    package = pkgs.openrgb-with-all-plugins;
    motherboard = "amd";
  };

  services.udev.packages = [ pkgs.openrgb-with-all-plugins ];
  hardware.i2c.enable = true;

  networking = {
    nameservers = [
      "1.1.1.1"
      "9.9.9.9"
    ];

    hostName = hostname;
    hostId = "0f712d56";
    firewall.enable = true;
    useDHCP = false;

    interfaces.${eth_interface} = {
      ipv4.addresses = [
        {
          address = "10.1.1.102";
          prefixLength = 24;
        }
      ];
    };
    defaultGateway = {
      address = "10.1.1.1";
      interface = eth_interface;
    };
  };

  virtualisation = {
    containers.enable = true;
    podman = {
      enable = true;

      # Required for containers under podman-compose to be able to talk to each other.
      defaultNetwork.settings.dns_enabled = true;
    };
  };

  users.users.${username} = {
    isNormalUser = true;
    extraGroups = [
      "wheel"
      "video"
      "render"
    ];
    hashedPasswordFile = "/etc/nixos/secrets/hashedPass";

    openssh.authorizedKeys.keys = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO4jL6gYOunUlUtPvGdML0cpbKSsPNqQ1jit4E7U1RyH" # laptop
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBJjT5QZ3zRDb+V6Em20EYpSEgPW5e/U+06uQGJdraxi" # desktop
    ];
  };

  # https://nixos.wiki/wiki/Fish#Setting_fish_as_your_shell
  programs.fish.enable = true;
  programs.bash = {
    interactiveShellInit = ''
      if [[ $(${pkgs.procps}/bin/ps --no-header --pid=$PPID --format=comm) != "fish" && -z ''${BASH_EXECUTION_STRING} ]]
      then
        shopt -q login_shell && LOGIN_OPTION='--login' || LOGIN_OPTION=""
        exec ${pkgs.fish}/bin/fish $LOGIN_OPTION
      fi
    '';
  };

  security = {
    #lets use doas and not sudo!
    doas.enable = true;
    sudo.enable = false;
    # Configure doas
    doas.extraRules = [
      {
        users = [ username ];
        keepEnv = true;
        persist = true;
      }
    ];
  };

  services.murmur = {
    enable = true;
    openFirewall = true;
    welcometext = "meow meow meow meow meow :3 xd";
    password = builtins.readFile ./secrets/murmur_password;
  };

  services.postgresql = {
    enable = true;
    package = pkgs.postgresql_16;
    dataDir = "/tank/services/sql";
  };

  system.stateVersion = "24.05";
}