{ pkgs, lib, config, ... }:
with lib;
with lib.metacfg;
{
  imports = [
    ./hardware-configuration.nix
    # ./ipu.nix
  ];

  sops.age.sshKeyPaths = [ "/var/lib/secrets/ssh_host_ed25519_key" ];
  sops.secrets."wg".sopsFile = ../../../.secrets/x1/files.yaml;
  sops.secrets."wg".mode = "0444";
  sops.secrets."hosts".sopsFile = ../../../.secrets/x1/files.yaml;
  sops.secrets."hosts".mode = "0444";

  environment.etc."wg0.backup.conf".source = config.sops.secrets."wg".path;
  environment.etc."hosts.backup".source = config.sops.secrets."hosts".path;

  services.openssh = {
    enable = true;
    hostKeys = [
      {
        path = "/var/lib/secrets/ssh_host_ed25519_key";
        type = "ed25519";
      }
      {
        path = "/var/lib/secrets/ssh_host_rsa_key";
        type = "rsa";
        bits = 4096;
      }
    ];
  };

  hardware.bluetooth.input.General.ClassicBondedOnly = false;
  services.udev.extraRules = ''
    KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="342d", ATTRS{idProduct}=="e4c5", MODE="0660", GROUP="users", TAG+="uaccess", TAG+="udev-acl"
    KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="342d", ATTRS{idProduct}=="e489", MODE="0660", GROUP="users", TAG+="uaccess", TAG+="udev-acl"
  '';

  metacfg = {
    base.enable = true;
    gui.enable = true;
    nix-ld.enable = true;
    nix.enable = true;
    podman.enable = true;
    secureboot.enable = true;
    homeprinter.enable = true;

    system = {
      limits = {
        enable = true;
        nofileLimit = 32768;
        memlockLimit = 32768;
      };
    };

    # User configuration
    tools = {
      direnv.enable = true;
    };
    user.extraGroups = [
      "docker"
      "dialout"
    ];
  };

  nixpkgs.config.permittedInsecurePackages = [
    "electron-27.3.11"
  ];

  environment.systemPackages = with pkgs; [
    azure-cli
    cloudflare-warp
    desktop-file-utils
    kubectl
    kubectx
    k9s
    attic-client
    ollama
    piper
    klavaro
    tipp10
    gtypist
    logseq
    claude-code
    claude-desktop-with-fhs
    goose-cli
    aider-chat
    vscode
    #    (vscode-with-extensions.override {
    #      vscodeExtensions = with vscode-extensions; [
    #        rooveterinaryinc.roo-cline
    #        rust-lang.rust-analyzer
    #        github.copilot
    #        ms-python.python
    #        ms-azuretools.vscode-docker
    #        ms-vscode-remote.remote-ssh
    #      ];
    #    })
  ];

  zramSwap.enable = true;

  services.ratbagd.enable = true;

  services.resolved.enable = true;
  #services.resolved.dnssec = "allow-downgrade";
  #services.resolved.extraConfig = ''
  #  ResolveUnicastSingleLabel=yes
  #'';

  systemd.packages = [ pkgs.cloudflare-warp ]; # for warp-cli

  virtualisation = {
    docker.enable = true;
    libvirtd.enable = true;
    podman.dockerCompat = false;
  };

  system.autoUpgrade = {
    enable = true;
    operation = "boot";
    allowReboot = false;
  };

  services.trezord.enable = true;

  services.ollama = {
    enable = false;
    acceleration = "rocm";
    environmentVariables = {
      HSA_OVERRIDE_GFX_VERSION = "10.1.0";
    };
  };

  environment.sessionVariables = {
    LIBVA_DRIVER_NAME = "iHD";
    # NIXOS_OZONE_WL = "1";
    # DRI_PRIME = "pci-0000_24_00_0";
    DRI_PRIME = "pci-0000_00_02_0";
  };

  system.stateVersion = "23.11";
}