{ config, lib, pkgs, ... }:
let
  unstable = import (fetchTarball https://nixos.org/channels/nixos-unstable/nixexprs.tar.xz) {
    config = { allowUnfree = true; };
  };

  impermanence = builtins.fetchTarball "https://github.com/nix-community/impermanence/archive/master.tar.gz";
in {
  imports = [
    "${impermanence}/nixos.nix"
    ./hardware-configuration.nix
    # (Optional) comment out if you don’t want Sway as default:
    # ./modules/sway/sway.nix

    ./modules/nvim/default.nix
    ./utils/bento.nix
    ./utils/modules/sops.nix
    ./utils/modules/nur.nix
    ./utils/modules/autoupgrade.nix
    ./users
    ./modules/steam-deck-mode.nix
  ];

  nixpkgs.overlays = [
    (import ./utils/overlays/packages.nix)
  ];

  services.gvfs.enable = true;

  fonts.packages = with pkgs; [
    git
    git-lfs
    open-sans
    nix-prefetch
    jq
    oh-my-zsh
    zsh-autosuggestions
    zsh-completions
    zsh-syntax-highlighting
    zsh-history-substring-search
    creality-print
  ];

  programs.zsh = {
    enable = true;
    ohMyZsh = {
      enable = true;  # Enable Oh My Zsh
      theme = "steeef";  # Set theme
      plugins = [ "git" ];  # Add plugins
    };
  };
  users.defaultUserShell = pkgs.zsh;

  services.fwupd.enable = true;

  environment.persistence."/nix/persist" = {
    hideMounts = true;
    directories = [
      "/home"
    ];
  };
  environment.persistence."/nix/persist/system" = {
    hideMounts = true;
    directories = [
      "/etc/nixos"
      "/root/.ssh"
      "/var/bento"
      "/var/log"
      "/var/lib/bluetooth"
      "/var/lib/docker"
      "/var/lib/nixos"
      "/etc/NetworkManager/system-connections"
    ];
    files = [
      "/etc/machine-id"
      { file = "/etc/ssh/ssh_host_ed25519_key"; parentDirectory = { mode = "u=rwx,g=,o="; }; }
      { file = "/etc/ssh/ssh_host_ed25519_key.pub"; parentDirectory = { mode = "u=rwx,g=,o="; }; }
    ];
  };

  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
  sops.defaultSopsFile = ./secrets.yaml;

  networking.hostName = "gpd-win4";
  time.timeZone = "Europe/Vienna";

  nixpkgs.config.allowUnfree = true;
  nixpkgs.config.allowBroken = true;
  console.keyMap = "de";

  services.openssh.enable = true;
  security.polkit.enable = true;
  networking.networkmanager.enable = true;

  users.users.dominik = {
    isNormalUser = true;
    hashedPassword = "$y$j9T$btz9xel62NjCyLdQRm5ck1$iCm6R7u4wiMeSVfrB6Y.3UwoQJ/rfkXiYSrXI2RTYm/";
    extraGroups = [ "wheel" "disk" "video" "audio" "mysql" "docker" "vboxusers" "networkmanager" "onepassword" "onepassword-cli" "dialout" ]; # Enable ‘sudo’ for the user.
  };

  powerManagement.cpuFreqGovernor = "powersave";
  virtualisation.docker.enable = true;

  sops.secrets.epicenter_vpn_ca = {};
  sops.secrets.epicenter_vpn_cert = {};
  sops.secrets.epicenter_vpn_key = {};
  sops.secrets.wg-cloonar-key = {};

  environment.systemPackages = with pkgs; [
    bento
    docker-compose
    drone-cli
    git-filter-repo
    nix-prefetch-git
    vim
    wget
    wireguard-tools
    # Fingerprint packages for normal system (enrollment, management)
    fprintd
    libfprint-2-tod1-goodix
  ];

  environment.variables = {
    TERMINAL_COMMAND = "alacritty";
  };

  services.blueman.enable = true;

  networking.wireguard.interfaces = {
    wg0 = {
      ips = [ "10.42.98.203/32" ];
      privateKeyFile = config.sops.secrets.wg-cloonar-key.path;
      peers = [
        {
          publicKey = "TKQVDmBnf9av46kQxLQSBDhAeaK8r1zh8zpU64zuc1Q=";
          allowedIPs = [
            "10.42.96.0/20"
            "10.254.240.0/24"
            "10.254.235.0/24"
            "10.14.0.0/16"
            "10.25.0.0/16"
          ];
          endpoint = "vpn.cloonar.com:51820";
          persistentKeepalive = 25;
        }
      ];
      postSetup = ''
        printf "nameserver 10.42.97.1\nsearch cloonar.com" | ${pkgs.openresolv}/bin/resolvconf -a wg0 -m 0 -x
      '';
    };
  };

  nix = {
    settings.auto-optimise-store = true;
    settings.experimental-features = [ "nix-command" "flakes" ];
    gc = {
      automatic = true;
      dates = "weekly";
      options = "--delete-older-than 30d";
    };
    extraOptions = ''
      min-free = 104857600
      max-free = 1073741824
    '';
  };

  services.xserver.enable = true;
  services.xserver.displayManager.gdm.enable = true;
  services.xserver.desktopManager.gnome.enable = true;
  services.displayManager.defaultSession = "gnome";

  # Enable fprintd for fingerprint authentication in the OS
  services.fprintd.enable = true;

  # In some NixOS releases, GDM forcibly sets fprintAuth = false.
  # We'll override them with mkForce. Also note that the display manager’s
  # PAM config might be "gdm-password" rather than just "gdm".
  security.pam.services."login".fprintAuth = lib.mkForce true;
  security.pam.services."gdm-password".fprintAuth = lib.mkForce true;

  system.stateVersion = "24.11";
}