{
  pkgs,
  inputs,
  lib,
  ...
}: let
  home-manager = builtins.fetchTarball {
    url = "https://github.com/nix-community/home-manager/archive/master.tar.gz";
    sha256 = "19w63qccz78v0spx03911z98w1bvlxvd07hb0ma14a4vdzi4ninj";
  };
in {
  # TODO:
  #    - add github:charmbracelet/soft-serve
  #    - add forgejo

  imports = [
    ./hardware-configuration.nix
    #../modules/server/nginx.nix
    #../modules/server/ssh.nix
    #../modules/server/fail2ban.nix
  ];

  nix.settings.experimental-features = [
    "nix-command"
    "flakes"
  ];

  time.timeZone = "Australia/Brisbane";

  i18n.defaultLocale = "en_US.UTF-8";
  console = {
    font = "Lat2-Terminus16";
    keyMap = "us";
  };

  # colmena deployment configuration
  deployment = {
    targetHost = "imbored.dev";
    targetUser = "ae";
    targetPort = 22;
    sshOptions = ["-i ~/.ssh/id_hyrule"];
    #keys = {
    #  "imbored.dev" = {
    #    # text, keyCommand, or keyFile must be set
    #    # text = "";
    #    #keyCommand = [ "" ];
    #    keyFile = "/home/me/.ssh/id_hyrule";
    #  };
    #};
    buildOnTarget = false; # build locally then deploy
  };

  # super duper minimum grub2 config
  boot.loader.grub = {
    enable = true;
    device = "/dev/vda";
  };

  networking = {
    hostName = "hyrule";
    networkmanager.enable = true;

    firewall = {
      enable = true;
      allowedTCPPorts = [
        22 # sshd
        80 # nginx
        443 # nginx
      ];
    };
  };

  users = {
    defaultUserShell = pkgs.bash;

    users = {
      # primary user
      ae = {
        isNormalUser = true;
        extraGroups = ["wheel" "networkmanager"];
        shell = pkgs.bash;
        home = "/home/ae"; # TEMP: remove and replace with home-manager
        packages = with pkgs; [
        ];
      };

      # user for friends to ssh into
      friends = {
        isNormalUser = true;
        shell = pkgs.bash;
        home = "/home/friends"; # TEMP: remove and replace with home-manager
        packages = with pkgs; [
        ];
      };
    };
  };

  services = {
    # simple nginx instance to host static construction page
    nginx = {
      enable = true;

      # package = pkgs.nginxStable.override { openssl = pkgs.libressl; };

      #virtualHosts."imbored.dev".locations."/" = {
      virtualHosts."imbored.dev" = {
        addSSL = true;
        enableACME = true;
        root = "/var/www/imbored";
        #index = "index.html";
        #root = pkgs.writeTextDir "index.html" ''
        #  <html>
        #  <body>
        #  Give me your mittens!
        #  </body>
        #  </html>
        #'';
      };
    };

    # quick and dirty way temporary way accessing my server
    openssh = {
      enable = true;
      ports = [22];
      settings = {
        PasswordAuthentication = true;
        PermitRootLogin = "no";
        AllowUsers = ["ae"]; # allow all users by default
        UseDns = true;
        X11Forwarding = false;
      };
    };
  };
  # accept Lets Encrypt's security policy (for nginx)
  security.acme = {
    acceptTerms = true;
    defaults.email = "eclarkboman@gmail.com";
  };

  #home-manager = {
  #  users = {
  #    dev = import ../../homes/dev;
  #    friends = import ../../homes/friends;
  #  };
  #};

  environment.systemPackages = with pkgs; [
    vim
    helix
  ];

  programs = {
  };

  system.stateVersion = "24.11"; # DO NOT MODIFY
}