{ config, pkgs, ... }:
{
  imports = [
    ./hardware-configuration.nix
    ./home-manager.nix

    ../core
    ../hyprland.nix
  ];

  system.stateVersion = "24.05"; # Do NOT change before reading configuration.nix

  users.users.jras.extraGroups = [ "networkmanager" "docker" ];

  time.timeZone = "Europe/Amsterdam";

  age.secrets.ghostnet-cert.file = ../../secrets/ghostnet-cert.age;
  age.secrets.ghostnet-key.file = ../../secrets/ghostnet-key.age;
  age.secrets.ghostnet-ca.file = ../../secrets/ghostnet-ca.age;
  age.secrets.ghostnet-tls-auth.file = ../../secrets/ghostnet-tls-auth.age;
  age.secrets.ghostnet-auth-user-pass.file = ../../secrets/ghostnet-auth-user-pass.age;

  age.secrets.systems-cert.file = ../../secrets/systems-cert.age;
  age.secrets.systems-key.file = ../../secrets/systems-key.age;
  age.secrets.systems-ca.file = ../../secrets/systems-ca.age;
  age.secrets.systems-tls-auth.file = ../../secrets/systems-tls-auth.age;

  virtualisation.docker = {
    enable = true;
    enableOnBoot = true;
  };

  hardware.bluetooth.enable = true;
  hardware.bluetooth.powerOnBoot = true;

  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;

  networking.hostName = "work";
  networking.networkmanager.enable = true;
  networking.networkmanager.dns = "systemd-resolved";
  networking.nameservers = [ "1.1.1.1" ];
  networking.firewall.allowedTCPPorts = [];

  services.libinput.mouse.accelProfile = "flat";
  services.libinput.mouse.accelSpeed = "-5";
  services.upower.enable = true;
  services.openssh.enable = true;
  services.openvpn.servers = {
    ghostnet = {
      config = ''
        client
        remote 185.57.9.6 1194
        cert ${config.age.secrets.ghostnet-cert.path}
        key ${config.age.secrets.ghostnet-key.path}
        ca ${config.age.secrets.ghostnet-ca.path}
        auth-user-pass ${config.age.secrets.ghostnet-auth-user-pass.path}
        reneg-sec 0
        cipher AES-256-CBC
        comp-lzo adaptive
        dev tun
        proto udp
        remote-cert-tls server
        tls-auth ${config.age.secrets.ghostnet-tls-auth.path} 1
        nobind
        auth-nocache
        script-security 2
        persist-key
        persist-tun
        user nm-openvpn
        group nm-openvpn
      '';
      updateResolvConf = false;
      autoStart = false;
    };
    systems = {
      config = ''
        client
        remote 'vpn-v2.one.com'
        cert '${config.age.secrets.systems-cert.path}'
        key '${config.age.secrets.systems-key.path}'
        ca '${config.age.secrets.systems-ca.path}'
        cipher AES-128-CBC
        comp-lzo adaptive
        dev tun
        proto udp
        port 1200
        remote-cert-tls server
        tls-auth '${config.age.secrets.systems-tls-auth.path}' 1
        nobind
        auth-nocache
        script-security 2
        persist-key
        persist-tun
        user nm-openvpn
        group nm-openvpn
      '';
      updateResolvConf = false;
      autoStart = false;
    };
  };

  programs.update-systemd-resolved.servers = {
    ghostnet = {
      includeAutomatically = true;
      settings = {
        routeOnlyDomains = [ "hostnetbv.nl." ];
        defaultRoute = false;
        multicastDNS = "no";
        dnsOverTLS = "opportunistic";
        dnssec = "no";
      };
    };
  };

  services.resolved = {
    enable = true;
    dnssec = "true";
    domains = [ "~." ];
    fallbackDns = [ "1.1.1.1" ];
    dnsovertls = "opportunistic";
    llmnr = "true";
  };

  services.xserver.xkb = {
    layout = "us";
    variant = "";
  };

  programs.gnupg.agent.enable = true;
  programs.gnupg.agent.pinentryPackage = pkgs.pinentry-gnome3;
}