{ config
, lib
, pkgs
, inputs
, system
, self
, ...
}:
let
  commitid =
    if (self ? shortRev)
    then self.shortRev
    else "dirty";
in
{
  system.switch = {
    enable = false;
    enableNg = true;
  };
  system.image = {
    id = "tristnix";
    version = commitid;
  };
  # system.nixos.tags = [ "tristnix_${commitid}" ];
  nixpkgs.hostPlatform = lib.mkDefault system;

  boot.tmp.useTmpfs = true;
  systemd.services.nix-daemon = {
    environment.TMPDIR = "/var/tmp";
  };

  nix = {
    settings = {
      auto-optimise-store = true;
    };
    package = pkgs.nixFlakes;
    extraOptions = ''
      experimental-features = nix-command flakes
    '';
  };

  home-manager.backupFileExtension = "bak";

  # locale
  time.timeZone = "Europe/Berlin";

  i18n = {
    defaultLocale = "en_US.UTF-8";

    extraLocaleSettings = {
      LANG = "en_US.UTF-8";
      LC_ADDRESS = "de_DE.UTF-8";
      LC_COLLATE = "de_DE.UTF-8";
      LC_CTYPE = "en_US.UTF-8";
      LC_IDENTIFICATION = "de_DE.UTF-8";
      LC_MEASUREMENT = "de_DE.UTF-8";
      LC_MESSAGES = "en_US.UTF-8";
      LC_MONETARY = "de_DE.UTF-8";
      LC_NAME = "de_DE.UTF-8";
      LC_NUMERIC = "de_DE.UTF-8";
      LC_PAPER = "de_DE.UTF-8";
      LC_TELEPHONE = "de_DE.UTF-8";
      LC_TIME = "de_DE.UTF-8";
    };
  };
  ####################

  security = {
    pki.certificates = [
      (lib.readFile ../../ext/internal-ca.crt)
    ];
    rtkit.enable = true;

    sudo.enable = false;
    sudo-rs = {
      enable = true;
      wheelNeedsPassword = lib.mkDefault false;
      execWheelOnly = true;
    };
  };

  environment.sessionVariables = {
    EDITOR = "nvim";
  };

  environment.systemPackages = with pkgs; [
    fclones
    curl
    fish
    figlet
    neovim # editor
    nix-alien
    git
    vim # fallback ed
    wget

    ## MONITORING TOOLS ##
    btop # for CPU, RAM, and Disk monitoring
    iotop # for disk I/O monitoring
    iftop # for network I/O monitoring
  ];

  fileSystems."/etc/nixos" = {
    device = lib.mkDefault "/home/tristand/nix";
    fsType = "none";
    options = [ "bind" ];
  };

  programs = {
    nh = {
      enable = true;
      clean.enable = true;
      clean.extraArgs = "--keep-since 30d --keep 16";
      flake = "/home/tristand/nix";
    };
    rust-motd = {
      # enable = true; # broken atm
      enableMotdInSSHD = true;
      settings = {
        banner = {
          color = "green";
          command = ''
            ${pkgs.inetutils}/bin/hostname | ${pkgs.figlet}/bin/figlet -f slant
          '';
        };

        uptime = {
          prefix = "Up";
        };

        global = {
          progress_full_character = "=";
          progress_empty_character = "-";
          progress_prefix = "[";
          progress_suffix = "]";
        };

        filesystems = {
          root = "/";
          home = "/home";
        };

        memory.swap_pos = "beside";
        last_login = builtins.listToAttrs (map
          (user: {
            name = user;
            value = 2;
          })
          (builtins.attrNames config.home-manager.users));
      };
      order = [
        "global"
        "banner"
        "uptime"
        "memory"
        "filesystems"
        "last_login"
      ];
    };
    nix-ld.enable = true;
    nix-ld.package = pkgs.nix-ld-rs;
    command-not-found.enable = false;
    nix-index-database.comma.enable = true;

    fish.enable = true;
    gnupg.agent = {
      enable = true;
      # enableSSHSupport = true; # breaks gitea foo
      pinentryPackage = lib.mkForce pkgs.pinentry-qt;
    };
  };

  services = {
    fwupd.enable = true;

    # envfs.enable = true; # not needed due to flake
    timesyncd.enable = false;
    ntp.enable = false;
    ntpd-rs.enable = true;

    openssh = {
      enable = true;
      settings = {
        PasswordAuthentication = false;
        KbdInteractiveAuthentication = false;
        PubKeyAuthentication = true;
        KexAlgorithms = [
          "sntrup761x25519-sha512@openssh.com"
        ];
      };
      extraConfig = ''
        AllowTcpForwarding yes
        X11Forwarding no
        AllowAgentForwarding no
        AllowStreamLocalForwarding yes
        AuthenticationMethods publickey
      '';
    };

    gvfs.enable = true;
    avahi.enable = true;
    avahi.nssmdns4 = true;
  };

  networking.firewall = {
    extraCommands = ''iptables -t raw -A OUTPUT -p udp -m udp --dport 137 -j CT --helper netbios-ns'';
    allowedTCPPortRanges = [
      {
        from = 22;
        to = 22;
      } # ssh
    ];
  };

  # TODO Extract into stylix module
  services.kmscon.enable = true;
  services.kmscon.hwRender = config.hardware.amdgpu.initrd.enable;
  stylix =
    let
      wallpaper = pkgs.nix-wallpaper.override {
        logoSize = 24;
        preset = "gruvbox-dark-rainbow";
        width = 6960;
        height = 4320;
      };
      wallpaperPath = "${wallpaper}/share/wallpapers/nixos-wallpaper.png";
      fontpkg = pkgs.nerdfonts.override { fonts = [ "Iosevka" "IosevkaTerm" "FiraCode" "DroidSansMono" "NerdFontsSymbolsOnly" ]; };
    in
    {
      enable = true;
      image = wallpaperPath;
      polarity = "dark";
      base16Scheme = lib.mkForce "${pkgs.base16-schemes}/share/themes/gruvbox-dark-hard.yaml";
      autoEnable = false;
      cursor = {
        package = pkgs.kdePackages.breeze;
        name = "breeze_cursors";
        size = 24;
      };
      opacity.terminal = 0.88;
      fonts = {
        serif = config.stylix.fonts.sansSerif;
        sansSerif = {
          package = fontpkg;
          name = "Iosevka Nerd Font Propo";
        };

        monospace = {
          package = fontpkg;
          name = "Iosevka Nerd Font Mono";
        };

        emoji = {
          package = pkgs.noto-fonts-emoji;
          name = "Noto Color Emoji";
        };
      };
      targets = {
        console.enable = true;
        fish.enable = true;
        gtk.enable = true;
        kmscon.enable = true;
        nixos-icons.enable = true;
      };
    };
}