{ config, lib, inputs, system, ... }:
let
  pkgs = inputs.nixpkgs.legacyPackages.${system};
in
{
  services.journald.extraConfig = "SystemMaxUse=1G";

  environment = {
    variables = {
      EDITOR = "hx";
      VISUAL = "hx";
      PAGER = "less";
      MANPAGER = "less";
    };

    systemPackages = with pkgs; [
      age
      bat
      bind
      bottom
      btrfs-progs
      cue
      curl
      dog
      dua
      eza
      fd
      file
      gnumake
      gron
      helix
      hexyl
      htop
      iputils
      jq
      killall
      less
      mosh
      nmap
      openssl
      pciutils
      pv
      rclone
      restic
      ripgrep
      rsync
      rtx
      sd
      sops
      smartmontools
      sqlite
      unzip
      watchexec
      wget
      xh
      zellij
      zstd
    ];
  };

  users.users = {
    daniel = {
      isNormalUser = true;
      home = "/home/daniel/.home";
      openssh.authorizedKeys.keys = [
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAPLXOjupz3ScYjgrF+ehrbp9OvGAWQLI6fplX6w9Ijb daniel@lyte.dev"
      ];
      group = "daniel";
      extraGroups = [ "users" "wheel" "video" ];
      packages = [ ];
    };

    root = {
      openssh.authorizedKeys.keys = config.users.users.daniel.openssh.authorizedKeys.keys;
    };
  };

  i18n = {
    defaultLocale = "en_US.UTF-8";
  };

  services = {
    xserver = {
      layout = "us";
      xkbOptions = "ctrl:nocaps";
    };

    openssh = {
      enable = true;

      settings = {
        PasswordAuthentication = false;
      };

      # TODO: tailscale can handle this I think...?
      openFirewall = lib.mkDefault true;

      # listenAddresses = [
      #   { addr = "0.0.0.0"; port = 22; }
      # ];
    };

    tailscale = {
      enable = true;
      useRoutingFeatures = lib.mkDefault "client";
    };

    fwupd.enable = true;
    smartd.enable = true;
  };

  console = {
    font = "Lat2-Terminus16";
    useXkbConfig = true;
    earlySetup = true;

    colors = [
      "111111"
      "f92672"
      "a6e22e"
      "f4bf75"
      "66d9ef"
      "ae81ff"
      "a1efe4"
      "f8f8f2"
      "75715e"
      "f92672"
      "a6e22e"
      "f4bf75"
      "66d9ef"
      "ae81ff"
      "a1efe4"
      "f9f8f5"
    ];
  };

  networking = {
    useDHCP = lib.mkDefault true;

    firewall = {
      enable = lib.mkDefault true;
      allowPing = lib.mkDefault true;
      allowedTCPPorts = lib.mkDefault [ 22 ];
      allowedUDPPorts = lib.mkDefault [ ];
    };
  };

  nix = {
    settings = {
      trusted-users = [ "root" "daniel" ];
      experimental-features = lib.mkDefault [ "nix-command" "flakes" ];
      substituters = [
        "https://nix.h.lyte.dev"
        "https://nix-community.cachix.org"
        "https://cache.nixos.org/"
      ];
      trusted-public-keys = [
        "h.lyte.dev:HeVWtne31ZG8iMf+c15VY3/Mky/4ufXlfTpT8+4Xbs0="
        "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
      ];
    };
  };

  nixpkgs = {
    config = {
      allowUnfree = true;
    };
    hostPlatform = lib.mkDefault "x86_64-linux";
  };

  programs = {
    fish = {
      enable = true;
    };

    tmux = {
      enable = true;
      clock24 = true;
    };

    traceroute.enable = true;

    git = {
      enable = true;

      lfs = {
        enable = true;
      };
    };

    # https://github.com/nix-community/home-manager/issues/3113
    dconf.enable = true;
  };

  time = {
    timeZone = "America/Chicago";
  };

  users = {
    defaultUserShell = pkgs.fish;
  };
}