{
  pkgs,
  config,
  lib,
  inputs,
  ...
}:
let
  shellType = config.my.shell.type;
  krita-thumbnailer = pkgs.writeTextFile {
    name = "krita-thumbnailer";
    destination = "/share/thumbnailers/kra.thumbnailer";
    text = ''
      [Thumbnailer Entry]
      Exec=sh -c "${pkgs.unzip}/bin/unzip -p %i preview.png > %o"
      MimeType=application/x-krita;
    '';
  };
in
{
  imports = [
    ./hardware-configuration.nix
    ../../config/base.nix
    ../../config/stylix.nix
    ../../environments/gnome.nix
    ../../config/derek.nix
  ];
  my = import ./toggles.nix { inherit inputs; } // {
    nix.cores = 8;
    nix.maxJobs = 8;
    users.nixremote.enable = true;
    users.nixremote.authorizedKeys = inputs.self.lib.getSshKeys [
      "nixserver"
      "nixminiserver"
    ];
    environments.gnome.users = [
      "jawz"
      "bearded_dragonn"
    ];
  };
  sops.secrets."workstation/private" = lib.mkIf config.my.secureHost {
    sopsFile = ../../secrets/wireguard.yaml;
  };
  home-manager.users.jawz.programs = {
    vscode = {
      enable = true;
      package = pkgs.code-cursor;
    };
    ghostty = {
      enable = true;
      package = pkgs.ghostty;
      enableBashIntegration = shellType == "bash";
      enableZshIntegration = shellType == "zsh";
      installBatSyntax = true;
      installVimSyntax = true;
      settings.term = "xterm-256color";
    };
  };
  networking = {
    hostName = "workstation";
    firewall = {
      allowedTCPPorts = [
        config.my.ports.nsUsbloader
        config.my.ports.syncthingGui
      ];
      allowedTCPPortRanges = [
        {
          from = 1714;
          to = 1764;
        }
      ];
      interfaces.wg0.allowedTCPPorts = [
        config.services.ollama.port
        config.services.open-webui.port
        config.services.sillytavern.port
        config.my.ports.comfyui
      ];
    };
    nftables.tables.wg-local-redirect = {
      family = "ip";
      content = ''
        chain prerouting {
          type nat hook prerouting priority dstnat;
          iifname "wg0" ip daddr ${config.my.ips.wg-workstation}/32 tcp dport ${toString config.my.ports.sillytavern} redirect to :${toString config.my.ports.sillytavern}
        }
      '';
    };
    wireguard.interfaces.wg0 = lib.mkIf config.my.secureHost {
      ips = [ "${config.my.ips.wg-workstation}/32" ];
      privateKeyFile = config.sops.secrets."workstation/private".path;
      peers = [
        {
          publicKey = "dFbiSekBwnZomarcS31o5+w6imHjMPNCipkfc2fZ3GY=";
          endpoint = "${config.my.ips.vps}:51820";
          persistentKeepalive = 25;
          allowedIPs = [
            "${config.my.ips.wg-vps}/32"
            config.my.subnets.wg-homelab
          ];
        }
      ];
    };
  };
  users = {
    groups.ai = { };
    users.jawz.packages = [
      (pkgs.google-cloud-sdk.withExtraComponents [
        pkgs.google-cloud-sdk.components.gke-gcloud-auth-plugin
      ])
    ]
    ++ builtins.attrValues {
      inherit (pkgs)
        distrobox # install packages from other os
        gocryptfs # encrypted filesystem! shhh!!!
        vcsi # video thumbnails for torrents, can I replace it with ^?
        keypunch # practice typing
        google-cloud-sdk-gce
        ;
    };
  };
  environment = {
    pathsToLink = [ "share/thumbnailers" ];
    systemPackages = builtins.attrValues {
      # thumbnail for heif files & videos
      inherit krita-thumbnailer;
      inherit (pkgs.libheif) out;
      inherit (pkgs)
        libheif
        ffmpegthumbnailer
        bign-handheld-thumbnailer
        gnome-epub-thumbnailer
        podman-compose
        scrcpy
        codex
        ;
      inherit (inputs.clip-tools.packages.${pkgs.system})
        clip-thumbnailer
        ;
    };
    etc."wireplumber/bluetooth.lua.d/51-bluez-config.lua".text = ''
      bluez_monitor.properties = {
          ["bluez5.enable-sbc-xq"] = true,
          ["bluez5.enable-msbc"] = true,
          ["bluez5.enable-hw-volume"] = true,
          ["bluez5.headset-roles"] = "[ hsp_hs hsp_ag hfp_hf hfp_ag ]"
      }
    '';
  };
  programs = {
    kdeconnect = {
      enable = true;
      package = pkgs.gnomeExtensions.gsconnect;
    };
    obs-studio = {
      enable = true;
      enableVirtualCamera = true;
      plugins = builtins.attrValues {
        inherit (pkgs.obs-studio-plugins)
          obs-vkcapture
          obs-vaapi
          obs-tuna
          input-overlay
          ;
      };
    };
  };
  security.pki.certificateFiles = [
    ../../secrets/ssh/iqQCY4iAWO-ca.pem
    ../../secrets/ssh/root-private-ca.pem
  ];
  services = {
    flatpak.enable = true;
    open-webui = {
      enable = true;
      port = config.my.ports.openWebui;
      host = config.my.ips.wg-workstation;
    };
    scx = {
      enable = true;
      scheduler = "scx_lavd";
    };
    btrfs.autoScrub = {
      enable = true;
      fileSystems = [ "/" ];
    };
    protonmail-bridge = {
      enable = true;
      path = [ pkgs.gnome-keyring ];
    };
    ollama = {
      enable = true;
      acceleration = "cuda";
      models = "/srv/ai/ollama";
      user = "ollama";
      group = "ai";
      port = config.my.ports.ollama;
      host = config.my.ips.wg-workstation;
    };
    sillytavern = {
      enable = true;
      port = config.my.ports.sillytavern;
      group = "ai";
      whitelist = true;
      listenAddressIPv4 = config.my.ips.wg-workstation;
    };
  };
}