{
  pkgs,
  inputs,
  lib,
  ...
}: let
  home-manager = builtins.fetchTarball {
    url = "https://github.com/nix-community/home-manager/archive/release-24.11.tar.gz";
    sha256 = "0c07xj74vsj37d3a8f98i9rhhhr99ckwlp45n40f0qkmigm3pk8s";
  };
in {
  # TODO:
  #    - add github:charmbracelet/soft-serve
  #    - add forgejo

  imports = [
    ./hardware-configuration.nix
    (import "${home-manager}/nixos")
    #../../flakes/wishlist/wishlist.nix
    #../modules/server/nginx.nix
    #../modules/server/ssh.nix
    #../modules/server/fail2ban.nix
  ];

  # override wishlist with the new cool one!
  #pkgs.config.packageOverrides = {
  #  wishlist = inputs.wishlist.packages.x86_64-linux.wishlist;
  #};

  nix.settings = {
    # make wheel group trusted users allows my "ae" user
    # to import packages not signed by a trusted key
    # (aka super duper easier to remote deploy)
    trusted-users = ["root" "@wheel"];
    experimental-features = [
      "nix-command"
      "flakes"
    ];
  };

  time.timeZone = "Australia/Brisbane";

  i18n.defaultLocale = "en_US.UTF-8";
  console = {
    font = "Lat2-Terminus16";
    keyMap = "us";
  };

  # colmena deployment configuration
  deployment = {
    targetHost = "imbored.dev";
    targetUser = "ae";
    targetPort = 22;
    # the following line is unnecessary if using an ssh agent
    #sshOptions = ["-i /home/me/.ssh/id_hyrule"];
    #keys = {
    #  "imbored.dev" = {
    #    # text, keyCommand, or keyFile must be set
    #    # text = "";
    #    #keyCommand = [ "" ];
    #    keyFile = "/home/me/.ssh/id_hyrule";
    #  };
    #};
    buildOnTarget = false; # build locally then deploy
  };

  # super duper minimum grub2 config
  boot.loader.grub = {
    enable = true;
    device = "/dev/vda";
  };

  networking = {
    hostName = "hyrule";
    networkmanager.enable = true;

    firewall = {
      enable = true;
      allowedTCPPorts = [
        22 # sshd
        80 # nginx
        443 # nginx
        2222 # wishlist
        2035 # debug (for my job)
        5000 # debug (for my job)
      ];
    };
  };

  # grant passwordless sudo to wheel group
  security.sudo.wheelNeedsPassword = false;

  users = {
    defaultUserShell = pkgs.bash;

    users = {
      # primary user
      ae = {
        isNormalUser = true;
        extraGroups = ["wheel" "networkmanager" "docker"];
        shell = pkgs.bash;
        home = "/home/ae"; # TEMP: remove and replace with home-manager
        packages = with pkgs; [
        ];
      };

      subspace = let
        # override
        wishlistBash =
          pkgs.bash.override {
          };
      in {
        isNormalUser = true;
        shell = pkgs.bash;
        home = "/home/subspace";
        packages = with pkgs; [
          wishlist
        ];
      };

      # user for friends to ssh into
      friends = {
        isNormalUser = true;
        shell = pkgs.bash;
        home = "/home/friends"; # TEMP: remove and replace with home-manager
        packages = with pkgs; [
        ];
      };
    };
  };

  virtualisation.docker.enable = true;

  home-manager = {
    users = {
      ae = import ../../homes/ae;
      subspace = import ../../homes/subspace;
    };
    sharedModules = [];
  };

  services = {
    # simple nginx instance to host static construction page
    nginx = {
      enable = true;

      # package = pkgs.nginxStable.override { openssl = pkgs.libressl; };

      #virtualHosts."imbored.dev".locations."/" = {
      virtualHosts."imbored.dev" = {
        addSSL = true;
        enableACME = true;
        root = "/var/www/imbored";
        #index = "index.html";
        #root = pkgs.writeTextDir "index.html" ''
        #  <html>
        #  <body>
        #  Give me your mittens!
        #  </body>
        #  </html>
        #'';
      };
    };

    openssh = {
      enable = true;
      ports = [22];
      settings = {
        PasswordAuthentication = true;
        PermitRootLogin = "no";
        AllowUsers = ["ae" "subspace"]; # allow all users by default
        UseDns = true;
        X11Forwarding = false;
      };
    };

    #wishlist = {
    #  enable = true;
    #};
  };
  # accept Lets Encrypt's security policy (for nginx)
  security.acme = {
    acceptTerms = true;
    defaults.email = "eclarkboman@gmail.com";
  };

  environment.systemPackages = with pkgs; [
    vim
    helix

    #wishlist
  ];

  programs = {
    fish.enable = true;

    bash = {
      interactiveShellInit = ''
        if [[ $(${pkgs.procps}/bin/ps --no-header --pid=$PPID --format=comm) != "fish" && -z ''${BASH_EXECUTION_STRING} ]]
        then
          shopt -q login_shell && LOGIN_OPTION='--login' || LOGIN_OPTION=""
          exec ${pkgs.fish}/bin/fish $LOGIN_OPTION
        fi
      '';
    };
  };

  #systemd.services.wishlist = {
  #  description = "Single entrypoint for multiple SSH endpoints";
  #  wantedBy = ["multi-user.target"];
  #
  #  serviceConfig = {
  #    DynamicUser = "yes";
  #    ExecStart = "${pkgs.wishlist}/bin/wishlist serve --config /home/$USER/.ssh/config";
  #    Restart = "always";
  #    RestartSec = "2s";
  #  };
  #};

  system.stateVersion = "24.11"; # DO NOT MODIFY
}