{ pkgs, ... }:
let
  username = "jolheiser";
  key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJh5aUDN/KN28+4tbayXRQliLyKFZaCZtUMEBNaJfHYj";
in
{
  imports = [ ./hardware.nix ];

  boot = {
    kernelPackages = pkgs.linuxPackages_latest;
    kernelParams = [
      "quiet"
      "splash"
    ];
    loader.grub = {
      enable = true;
      device = "/dev/sda";
      useOSProber = true;
      enableCryptodisk = true;
    };
  };

  boot.initrd.secrets = {
    "/crypto_keyfile.bin" = null;
  };

  boot.initrd.luks.devices = {
    "luks-1f9bde68-9c4c-423c-a95f-17aa170dd2b4".keyFile = "/crypto_keyfile.bin";
    "luks-a2ca1842-1ce0-437e-ba5e-8864a41e81cb" = {
      device = "/dev/disk/by-uuid/a2ca1842-1ce0-437e-ba5e-8864a41e81cb";
      keyFile = "/crypto_keyfile.bin";
    };
  };

  networking = {
    hostName = "gunpowder";
    networkmanager.enable = true;
    firewall.enable = true;
  };

  services = {
    xserver = {
      enable = true;
      displayManager.lightdm.enable = true;
      desktopManager.xfce.enable = true;
    };
    openssh.enable = true;
    tailscale.enable = true;
    mullvad-vpn = {
      enable = true;
      package = pkgs.mullvad-vpn;
    };
    resolved.enable = true;

    # media
    jellyfin = {
      enable = true;
      openFirewall = true;
    };
    tailproxy.jellyfin = {
      enable = true;
      hostname = "jellyfin";
      port = 8096;
      authKey = "tskey-auth-khZwt3ASDX11CNTRL-jYDAVuX7VVLCebLUGdvnVLLoUkeEevXEV"; # One-time key
    };
    sonarr = {
      enable = true;
      openFirewall = true;
    };
    tailproxy.sonarr = {
      enable = true;
      hostname = "sonarr";
      port = 8989;
      authKey = "tskey-auth-k1mZ4587A511CNTRL-uxq54KBAvb6YuhvZbxscb6rf7x8UwNiP"; # One-time key
    };
    radarr = {
      enable = true;
      openFirewall = true;
    };
    tailproxy.radarr = {
      enable = true;
      hostname = "radarr";
      port = 7878;
      authKey = "tskey-auth-kjuWphWmFp11CNTRL-dcpVCTbdPTAAiqQHaKVhTA27uNQeHxmq5"; # One-time key
    };
    bazarr = {
      enable = true;
      openFirewall = true;
    };
    tailproxy.bazarr = {
      enable = true;
      hostname = "bazarr";
      port = 6767;
      authKey = "tskey-auth-kydeAt7KDA21CNTRL-bLfZMG4ip4i4a91DX1b85ipjnZi9KgoN9"; # One-time key
    };
    prowlarr = {
      enable = true;
      openFirewall = true;
    };
    tailproxy.prowlarr = {
      enable = true;
      hostname = "prowlarr";
      port = 9696;
      authKey = "tskey-auth-koCbGEVEvh11CNTRL-7pxqVBdP4v5xNvsPP5mMv5oW8PrgVQmb"; # One-time key
    };
  };

  users = {
    users = {
      "${username}" = {
        extraGroups = [
          "wheel"
          "docker"
          "storage"
        ];
        isNormalUser = true;
        openssh.authorizedKeys.keys = [ key ];
      };
      "root".openssh.authorizedKeys.keys = [ key ];
    };
    groups.media.members = [
      "jolheiser"
      "olheiser"
      "jellyfin"
      "radarr"
      "sonarr"
    ];
  };

  environment.systemPackages = with pkgs; [ qbittorrent ];

  system.stateVersion = "22.11";
}