{
  pkgs,
  inputs,
  ...
}:
let
  krita-thumbnailer = pkgs.writeTextFile {
    name = "krita-thumbnailer";
    destination = "/share/thumbnailers/kra.thumbnailer";
    text = ''
      [Thumbnailer Entry]
      Exec=sh -c "${pkgs.unzip}/bin/unzip -p %i preview.png > %o"
      MimeType=application/x-krita;
    '';
  };
in
{
  imports = [
    ./hardware-configuration.nix
    ../../base.nix
    ../../gnome.nix
    ../../stylix.nix
  ];
  my = import ./toggles.nix;
  home-manager.users.jawz = {
    programs.ghostty = {
      enable = true;
      package = pkgs.ghostty;
      enableBashIntegration = true;
      installBatSyntax = true;
      installVimSyntax = true;
    };
  };
  networking = {
    hostName = "workstation";
    firewall =
      let
        kdeconnectPortRange = {
          from = 1714;
          to = 1764;
        };
        ns-usbloaderPort = 6674;
        openPorts = [ ns-usbloaderPort ];
        openPortRanges = [ kdeconnectPortRange ];
      in
      {
        allowedTCPPorts = openPorts;
        allowedUDPPorts = openPorts;
        allowedTCPPortRanges = openPortRanges;
        allowedUDPPortRanges = openPortRanges;
      };
  };
  nix.settings = {
    cores = 8;
    max-jobs = 8;
  };
  users = {
    groups.nixremote.gid = 555;
    users = {
      jawz.packages = builtins.attrValues {
        inherit (pkgs)
          distrobox # install packages from other os
          gocryptfs # encrypted filesystem! shhh!!!
          vcsi # video thumbnails for torrents, can I replace it with ^?
          ;
      };
      nixremote = {
        isNormalUser = true;
        createHome = true;
        group = "nixremote";
        home = "/var/nixremote/";
        openssh.authorizedKeys.keyFiles = [
          ../../secrets/ssh/ed25519_nixserver.pub
          ../../secrets/ssh/ed25519_nixminiserver.pub
        ];
      };
    };
  };
  environment = {
    pathsToLink = [ "share/thumbnailers" ];
    systemPackages = builtins.attrValues {
      # thumbnail for heif files & videos
      inherit krita-thumbnailer;
      inherit (pkgs)
        libheif
        ffmpegthumbnailer
        bign-handheld-thumbnailer
        gnome-epub-thumbnailer
        ;
      inherit (pkgs.libheif) out;
    };
    etc."wireplumber/bluetooth.lua.d/51-bluez-config.lua".text = ''
      bluez_monitor.properties = {
          ["bluez5.enable-sbc-xq"] = true,
          ["bluez5.enable-msbc"] = true,
          ["bluez5.enable-hw-volume"] = true,
          ["bluez5.headset-roles"] = "[ hsp_hs hsp_ag hfp_hf hfp_ag ]"
      }
    '';
  };
  programs = {
    kdeconnect = {
      enable = true;
      package = pkgs.gnomeExtensions.gsconnect;
    };
    obs-studio = {
      enable = true;
      enableVirtualCamera = true;
      plugins = builtins.attrValues {
        inherit (pkgs.obs-studio-plugins)
          droidcam-obs
          obs-vkcapture
          obs-vaapi
          obs-tuna
          input-overlay
          ;
      };
    };
  };
  security.pki.certificateFiles = [
    ../../secrets/ssh/iqQCY4iAWO-ca.pem
  ];
  services = {
    flatpak.enable = true;
    open-webui.enable = true;
    scx = {
      enable = true;
      scheduler = "scx_lavd";
    };
    btrfs.autoScrub = {
      enable = true;
      fileSystems = [ "/" ];
    };
    protonmail-bridge = {
      enable = true;
      path = [ pkgs.gnome-keyring ];
    };
    ollama = {
      enable = true;
      acceleration = "cuda";
    };
    resilio = {
      enable = true;
      useUpnp = true;
      enableWebUI = true;
      package = inputs.jawz-scripts.packages.x86_64-linux.resilio;
      httpPass = "Uplifting-Proofs-Eggshell-Molecule-Wriggly-Janitor3-Padded-Oxidizing";
      deviceName = "Oversweet3834";
      httpLogin = "Oversweet3834";
      httpListenPort = 9876;
      httpListenAddr = "0.0.0.0";
      directoryRoot = "/resilio";
    };
  };
}