{ pkgs, ... }:
let
  username = "jolheiser";
  key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJh5aUDN/KN28+4tbayXRQliLyKFZaCZtUMEBNaJfHYj";
in
{
  imports = [ ./hardware.nix ];

  boot = {
    kernelPackages = pkgs.linuxPackages_latest;
    kernelParams = [
      "quiet"
      "splash"
    ];
    loader.grub = {
      enable = true;
      device = "/dev/sda";
      useOSProber = true;
      enableCryptodisk = true;
    };
  };

  boot.initrd.secrets = {
    "/crypto_keyfile.bin" = null;
  };

  boot.initrd.luks.devices = {
    "luks-1f9bde68-9c4c-423c-a95f-17aa170dd2b4".keyFile = "/crypto_keyfile.bin";
    "luks-a2ca1842-1ce0-437e-ba5e-8864a41e81cb" = {
      device = "/dev/disk/by-uuid/a2ca1842-1ce0-437e-ba5e-8864a41e81cb";
      keyFile = "/crypto_keyfile.bin";
    };
  };

  networking = {
    hostName = "gunpowder";
    networkmanager.enable = true;
    firewall.enable = true;
  };

  services = {
    xserver = {
      enable = true;
      displayManager.lightdm.enable = true;
      desktopManager.xfce.enable = true;
    };
    openssh.enable = true;
    tailscale.enable = true;
    mullvad-vpn = {
      enable = true;
      package = pkgs.mullvad-vpn;
    };
    resolved.enable = true;

    # media
    jellyfin = {
      enable = true;
      openFirewall = true;
    };
    sonarr.enable = true;
    radarr.enable = true;
    bazarr.enable = true;
    prowlarr.enable = true;
    tsnet-serve.instances = {
      jellyfin = {
        enable = true;
        backend = "http://127.0.0.1:9086";
        authKey = "tskey-auth-k8LDnQ5Lba11CNTRL-5QbfHxZRs1UUPHm64ZEB2U4uzTjGR5t2"; # One-time key
      };
      sonarr = {
        enable = true;
        backend = "http://127.0.0.1:8989";
        authKey = "tskey-auth-kb3G9Gp1s811CNTRL-uwN8PCBF9M9Q6jWDpQXSM98jj6o33tkAE"; # One-time key
      };
      radarr = {
        enable = true;
        backend = "http://127.0.0.1:7878";
        authKey = "tskey-auth-kJY2J4DJke11CNTRL-m5TVetb5geTxiyrtyauyeTS9C4ZvfdvRL"; # One-time key
      };
      bazarr = {
        enable = true;
        backend = "http://127.0.0.1:6767";
        authKey = "tskey-auth-kEh77KQqzx11CNTRL-zofQaxrHmcJFS5Y4p6Z4dJyxkbHB8DWQ"; # One-time key
      };
      prowlarr = {
        enable = true;
        backend = "http://127.0.0.1:9696";
        authKey = "tskey-auth-kkFSG4vzTN11CNTRL-tt9A1vsHSoDfJQKkcCfjoDRxtTxa9ioDX"; # One-time key
      };
    };
  };

  users = {
    users = {
      "${username}" = {
        extraGroups = [
          "wheel"
          "docker"
          "storage"
        ];
        isNormalUser = true;
        openssh.authorizedKeys.keys = [ key ];
      };
      "root".openssh.authorizedKeys.keys = [ key ];
    };
    groups.media.members = [
      "jolheiser"
      "olheiser"
      "jellyfin"
      "radarr"
      "sonarr"
    ];
  };

  environment.systemPackages = with pkgs; [ qbittorrent ];

  system.stateVersion = "22.11";
}