{ config, lib, pkgs, inputs, ... }:
let
  system = pkgs.system;
  unstable = import inputs.nixpkgs-unstable {
    config = { allowUnfree = true; };
    inherit system;
  };
in {
  imports = [ ./passthrough.nix ];
  # Sops setup for this machine
  sops.secrets = {
    "borg-ssh-key" = {
      sopsFile = ../../secrets/levitation/borg.yaml;
      format = "yaml";
    };
    "borg-password" = {
      sopsFile = ../../secrets/levitation/borg.yaml;
      format = "yaml";
    };
    "windows-bitlocker-key" = {
      sopsFile = ../../secrets/levitation/windows.yaml;
      format = "yaml";
    };
    "last.fm" = {
      sopsFile = ../../secrets/levitation/last.fm;
      format = "binary";
      owner = "nathan";
      mode = "0400";
    };
  };
  # Setup system configuration
  nathan = {
    programs = { games = true; };
    services = {
      borg = {
        enable = true;
        extraExcludes = [
          "/home/${config.nathan.config.user}/Music"
          "/var/lib/docker"
          "/var/log"
        ];
        passwordFile = config.sops.secrets."borg-password".path;
        sshKey = config.sops.secrets."borg-ssh-key".path;
      };
      kubo = { enable = true; };
      # resolved = { enable = true; };
    };
    hardware = {
      amdPassthrough = true;
      printing = true;
    };
    config = {
      isDesktop = true;
      setupGrub = true;
      nix.autoUpdate = false;
      harden = false;
      virtualization = {
        docker = false;
        podman = true;
      };
      windows = { enable = false; };
    };
  };
  # Configure networking
  networking = {
    domain = "mccarty.io";
    useDHCP = true;
    interfaces.enp6s0.useDHCP = true;
    nat.externalInterface = "enp6s0";
    # Open ports for soulseek and weylus
    firewall = {
      allowedTCPPorts = [ 61377 1701 9001 ];
      allowedUDPPorts = [ 61377 1701 9001 ];
    };
  };

  # Setup home manager
  home-manager.users.nathan = import ./home.nix;

  # Disable session persistance
  services.logind.killUserProcesses = true;

  # TPM setup
  security = { tpm2 = { enable = true; }; };

  # Configure nix build
  nix.settings = {
    cores = 16;
    max-jobs = 4;
  };

  # vmware
  virtualisation.vmware.host = {
    enable = true;
    package = unstable.vmware-workstation;
  };

  # ZFS
  boot.supportedFilesystems = [ "zfs" ];
  boot.zfs = {
    forceImportRoot = false;
    extraPools = [ "bigssd" ];
  };
  services.zfs = {
    autoScrub = {
      enable = true;
      interval = "Sun, 00:00";
    };
    autoSnapshot = {
      enable = true;
      frequent = 4;
      hourly = 24;
      daily = 7;
      weekly = 2;
      monthly = 2;
    };
  };
  # Generated with head -c4 /dev/urandom | od -A none -t x4
  networking.hostId = "bc94e9d3";
}