{
# An instance of `pkgs` with your overlays and packages applied is also available.
pkgs, inputs, ... }: {
  imports = [ # Include the results of the hardware scan.
    ./hardware-configuration.nix
    inputs.nixos-hardware.nixosModules.lenovo-thinkpad-t480
  ];

  # basic setup
  time.timeZone = "Asia/Kolkata";
  networking = {
    hostName = "thinkpad";
    firewall = {
      enable = true;
      allowedTCPPorts = [
        53317 # localsend
      ];
      allowedUDPPorts = [
        53317 # localsend
      ];
      allowedTCPPortRanges = [
        # KDE Connect
        {
          from = 1714;
          to = 1764;
        }
      ];
    };
  };

  snowflake = {
    locale = "en_US.UTF-8";

    extraPackages = with pkgs; [
      # try airdrop
      opendrop
      owl
      wirelesstools
      # # put in monitor mode
      # sudo ifconfig wlp3s0 down
      # sudo iwconfig wlp3s0 mode monitor
      # sudo owl -i wlp3s0 -N
      # # revert
      # sudo ifconfig wlp3s0 down
      # ip link set wlp3s0 up
    ];
    core = {
      openssh.enable = true;
      usbguard = {
        enable = true;
        serviceEnable = true;
        rules = ''
          allow id 1d6b:0002 serial "0000:00:14.0" name "xHCI Host Controller" hash "jEP/6WzviqdJ5VSeTUY8PatCNBKeaREvo2OqdplND/o=" parent-hash "rV9bfLq7c2eA4tYjVjwO4bxhm+y6GgZpl9J60L0fBkY=" with-interface 09:00:00 with-connect-type ""
          allow id 1d6b:0003 serial "0000:00:14.0" name "xHCI Host Controller" hash "3Wo3XWDgen1hD5xM3PSNl3P98kLp1RUTgGQ5HSxtf8k=" parent-hash "rV9bfLq7c2eA4tYjVjwO4bxhm+y6GgZpl9J60L0fBkY=" with-interface 09:00:00 with-connect-type ""
          allow id 1d6b:0002 serial "0000:3c:00.0" name "xHCI Host Controller" hash "+k9gUUE6Cnbob2WB/I//KMZ1hZ1UgvI6RrqNkIDvdmQ=" parent-hash "zCxLdr73Tn0YoKg15XR1ttIXizl8vMD+KtVAQnBZO8I=" with-interface 09:00:00 with-connect-type ""
          allow id 1d6b:0003 serial "0000:3c:00.0" name "xHCI Host Controller" hash "f/j0P3jeotLSPQLacl0JEBDT/k4mgTo84SKV39leYSc=" parent-hash "zCxLdr73Tn0YoKg15XR1ttIXizl8vMD+KtVAQnBZO8I=" with-interface 09:00:00 with-connect-type ""
          allow id 8087:0a2b serial "" name "" hash "TtRMrWxJil9GOY/JzidUEOz0yUiwwzbLm8D7DJvGxdg=" parent-hash "jEP/6WzviqdJ5VSeTUY8PatCNBKeaREvo2OqdplND/o=" via-port "1-7" with-interface { e0:01:01 e0:01:01 e0:01:01 e0:01:01 e0:01:01 e0:01:01 e0:01:01 } with-connect-type "not used"
          allow id 04f2:b604 serial "0001" name "Integrated Camera" hash "Sra5Do2lULxlGqcVOc0E68CJLWT1st8KiYXu4dbUQoQ=" parent-hash "jEP/6WzviqdJ5VSeTUY8PatCNBKeaREvo2OqdplND/o=" with-interface { 0e:01:00 0e:02:00 0e:02:00 0e:02:00 0e:02:00 0e:02:00 0e:02:00 0e:02:00 0e:02:00 } with-connect-type "not used"
          allow id 0bda:0316 serial "20120501030900000" name "USB3.0-CRW" hash "WG1MSC3YZsmCslTNGpjTTjT2lUvhNfU4gEVvD3gIuV4=" parent-hash "3Wo3XWDgen1hD5xM3PSNl3P98kLp1RUTgGQ5HSxtf8k=" with-interface 08:06:50 with-connect-type "not used"
        '';
      };
      latestKernel = true;
    };

    networking = {
      networkmanager = { enable = true; };
      netbirdClient = { enable = true; };
    };

    hardware = {
      isEfi = true;
      xbootldrMountPoint = "/boot";
      efiSysMountPoint = "/efi";
      diskDevice = "/dev/sda";
      isInitrdLuksUnlockingEnabled = true;
      laptop = {
        enable = true;
        lidSwitch = "lock";
      };
    };

    services = {
      syncthing = {
        enable = true;
        user = "cc";
        password = "xxxxxxxxxx";
        dataDir = "/home/cc/Documents";
        configDir = "/home/cc/.config/syncthing";
      };
      restic = {
        enable = true;
        name = "thinkpad";
      };
    };

    workstation = {
      enable = true;
      isDevMachine = true;
      desktop = {
        enable = true;
        autoLoginUser = "cc";
      };
      networking.profiles.enable = true;
    };

    virtualisation = {
      docker.enable = true;
      kvm = {
        enable = true;
        ovmf.enable = false;
      };
    };

    user = {
      enable = true;
      users = {
        cc = {
          isNormalUser = true;
          shell = pkgs.zsh;
          description = "Ameya Shenoy";
          extraGroups = [
            "wheel" # for sudo access
            "audio"
            "networkmanager" # for modifying WiFi without sudo
            "docker" # for docker cli without root
            "input"
            "kvm" # for kvm VMs
            "libvirtd" # for kvm VMs
          ];
          initialHashedPassword =
            "$y$j9T$cfmQcJ67WPKPEhsIbH2aC.$m8bDYq5dZrfx8NdU57jKbRc1nFuSB7iKdnAka6/u9R0";
          authorizedKeys = [
            "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKJnFvU6nBXEuZF08zRLFfPpxYjV3o0UayX0zTPbDb7C eden-thinkpad-zephyrus-cell"
          ];
        };
      };
    };
  };

  environment.etc = {
    # wireguaard config
    "wireguard/gvine.conf".source = ../../../conf/wireguard/gvine.conf;
    "wireguard/kryo.conf".source = ../../../conf/wireguard/kryo.conf;
  };

  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions
  # on your system were taken. It‘s perfectly fine and recommended to leave
  # this value at the release version of the first install of this system.
  # Before changing this value read the documentation for this option
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
  system.stateVersion = "24.05"; # Did you read the comment?
}