{
  config,
  lib,
  pkgs,
  hostname,
  username,
  eth_interface,
  service_configs,
  options,
  ...
}:
{
  imports = [
    ./hardware.nix
    ./zfs.nix
    ./impermanence.nix
    ./usb-secrets.nix
    ./age-secrets.nix
    ./secureboot.nix
    ./no-rgb.nix

    ./services/postgresql.nix
    ./services/jellyfin.nix
    ./services/caddy.nix
    ./services/immich.nix
    ./services/gitea.nix
    ./services/minecraft.nix

    ./services/wg.nix
    ./services/qbittorrent.nix
    ./services/bitmagnet.nix

    ./services/soulseek.nix

    # ./services/llama-cpp.nix

    ./services/ups.nix

    ./services/bitwarden.nix

    # KEEP UNTIL 2028
    ./services/caddy_senior_project.nix
  ];

  systemd.targets = {
    sleep.enable = false;
    suspend.enable = false;
    hibernate.enable = false;
    hybrid-sleep.enable = false;
  };

  # srvos enables vim, i don't want to use vim, disable it here:
  programs.vim = {
    defaultEditor = false;
  }
  // lib.optionalAttrs (options.programs.vim ? enable) {
    enable = false;
  };

  powerManagement = {
    powertop.enable = true;
    enable = true;
    cpuFreqGovernor = "powersave";
  };

  # https://github.com/NixOS/nixpkgs/issues/101459#issuecomment-758306434
  security.pam.loginLimits = [
    {
      domain = "*";
      type = "soft";
      item = "nofile";
      value = "4096";
    }
  ];

  nix = {
    # optimize the store
    optimise.automatic = true;
  };

  boot = {
    # 6.12 LTS until 2026
    kernelPackages = pkgs.linuxPackages_6_12_hardened;

    loader = {
      # Use the systemd-boot EFI boot loader.
      efi.canTouchEfiVariables = true;

      # 1s timeout
      timeout = 1;
    };

    initrd = {
      compressor = "zstd";
      supportedFilesystems = [ "f2fs" ];
    };
  };

  environment.etc = {
    "issue".text = "";
  };

  # Set your time zone.
  time.timeZone = "America/New_York";

  # Enable the OpenSSH daemon.
  services.openssh = {
    enable = true;
    settings = {
      AllowUsers = [
        username
        "root"
      ];
      PasswordAuthentication = false;
      PermitRootLogin = "yes"; # for deploying configs
    };
  };

  hardware.graphics = {
    enable = true;
    extraPackages = with pkgs; [
      vaapiVdpau
      intel-compute-runtime # OpenCL filter support (hardware tonemapping and subtitle burn-in)
      vpl-gpu-rt # QSV on 11th gen or newer
    ];
  };

  #fwupd for updating firmware
  services.fwupd = {
    enable = true;
    extraRemotes = [ "lvfs-testing" ];
  };

  environment.systemPackages = with pkgs; [
    helix
    lm_sensors
    bottom
    htop

    doas-sudo-shim
    neofetch

    borgbackup
    smartmontools

    ripgrep

    intel-gpu-tools
    iotop
    iftop

    tmux

    wget

    powertop

    lsof

    reflac
    list-usb-drives

    pfetch-rs

    sbctl

    # add `skdump`
    libatasmart
  ];

  networking = {
    nameservers = [
      "1.1.1.1"
      "9.9.9.9"
    ];

    hostName = hostname;
    hostId = "0f712d56";
    firewall.enable = true;
    useDHCP = false;
    enableIPv6 = false;

    interfaces.${eth_interface} = {
      ipv4.addresses = [
        {
          address = "10.1.1.102";
          prefixLength = 24;
        }
      ];
      ipv6.addresses = [
        {
          address = "fe80::9e6b:ff:fe4d:abb";
          prefixLength = 64;
        }
      ];
    };
    defaultGateway = {
      address = "10.1.1.1";
      interface = eth_interface;
    };
    # TODO! fix this
    # defaultGateway6 = {
    #   address = "fe80::/64";
    #   interface = eth_interface;
    # };
  };

  users.groups.${service_configs.media_group} = { };

  users.users.${username} = {
    isNormalUser = true;
    extraGroups = [
      "wheel"
      "video"
      "render"
      service_configs.media_group
    ];

    # TODO! use proper secrets management
    hashedPasswordFile = config.age.secrets.hashedPass.path;

    openssh.authorizedKeys.keys = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO4jL6gYOunUlUtPvGdML0cpbKSsPNqQ1jit4E7U1RyH" # laptop
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBJjT5QZ3zRDb+V6Em20EYpSEgPW5e/U+06uQGJdraxi" # desktop
    ];
  };

  # used for deploying configs to server
  users.users.root.openssh.authorizedKeys.keys =
    config.users.users.${username}.openssh.authorizedKeys.keys;

  # https://nixos.wiki/wiki/Fish#Setting_fish_as_your_shell
  programs.fish.enable = true;
  programs.bash = {
    interactiveShellInit = ''
      if [[ $(${pkgs.procps}/bin/ps --no-header --pid=$PPID --format=comm) != "fish" && -z ''${BASH_EXECUTION_STRING} ]]
      then
        shopt -q login_shell && LOGIN_OPTION='--login' || LOGIN_OPTION=""
        exec ${pkgs.fish}/bin/fish $LOGIN_OPTION
      fi
    '';
  };

  security = {
    #lets use doas and not sudo!
    doas.enable = true;
    sudo.enable = false;
    # Configure doas
    doas.extraRules = [
      {
        users = [ username ];
        keepEnv = true;
        persist = true;
      }
    ];
  };

  services.murmur = {
    enable = true;
    openFirewall = true;
    welcometext = "meow meow meow meow meow :3 xd";
    password = builtins.readFile ./secrets/murmur_password;
  };

  # services.botamusique = {
  #   enable = true;
  #   settings = {
  #     server = {port = config.services.murmur.port;
  #       password = config.services.murmur.password;
  #     };
  #   };
  # };

  # systemd.tmpfiles.rules = [
  #   "Z /tank/music 775 ${username} users"
  # ];

  system.stateVersion = "24.11";
}