{
  repoFlake,
  nodeFlake,
  pkgs,
  lib,
  config,
  nodeName,
  localDomainName,
  system,
  ...
}: {
  nixos-x13s = {
    enable = true;
    # TODO: use hardware address
    bluetoothMac = "65:9e:7a:8b:86:28";
    kernel = "jhovold";
  };

  services.illum.enable = true;

  systemd.services.bluetooth-x13s-mac = lib.mkForce {
    enable = true;
    path = [
      pkgs.systemd
      pkgs.util-linux
      pkgs.bluez5-experimental
      pkgs.expect
    ];
    script = ''
      # TODO: this may not be required
      while ! (journalctl -b0 | grep 'Bluetooth: hci0: QCA setup on UART is completed'); do
        echo Waiting for bluetooth firmware to complete
        echo sleep 1
      done

      (
        # best effort
        set +e
        rfkill block bluetooth
        echo $?
        btmgmt public-addr ${config.nixos-x13s.bluetoothMac}
        echo $?
        rfkill unblock bluetooth
        echo $?
      )
    '';
    requiredBy = ["bluetooth.service"];
    before = ["bluetooth.service"];
    serviceConfig = {
      Type = "oneshot";
      RemainAfterExit = true;

      # we need a tty, otherwise btmgmt will hang
      StandardInput = "tty";
      TTYPath = "/dev/tty2";
      TTYReset = "yes";
      TTYVHangup = "yes";
    };
  };

  imports = [
    nodeFlake.inputs.nixos-x13s.nixosModules.default

    repoFlake.inputs.sops-nix.nixosModules.sops
    nodeFlake.inputs.disko.nixosModules.disko
    ./disko.nix

    ../../snippets/nix-settings.nix
    ../../snippets/nix-settings-holo-chain.nix
    ../../snippets/mycelium.nix
    ../../profiles/common/user.nix

    {
      services.openssh.enable = true;
      services.openssh.settings.PermitRootLogin = "yes";
      services.openssh.openFirewall = true;

      sops.defaultSopsFile = ../../../../secrets/${nodeName}/secrets.yaml;
      sops.defaultSopsFormat = "yaml";

      users.commonUsers = {
        enable = true;
        enableNonRoot = true;
      };

      sops.secrets.builder-private-key = {};
      nix.distributedBuilds = true;
      nix.buildMachines = [
        {
          hostName = "sj-bm-hostkey0.dev.infra.holochain.org";
          sshUser = "nix-remote-builder";
          sshKey = config.sops.secrets.builder-private-key.path;
          protocol = "ssh-ng";
          systems = [
            "x86_64-linux"
            # "aarch64-linux"
          ];
          supportedFeatures = [
            "big-parallel"
            "kvm"
          ];
          maxJobs = 0;
        }

        {
          hostName = "x64-linux-dev-01.dev.infra.holochain.org";
          sshUser = "nix-remote-builder";
          sshKey = config.sops.secrets.builder-private-key.path;
          protocol = "ssh-ng";
          systems = [
            "x86_64-linux"
            # "aarch64-linux"
          ];
          supportedFeatures = [
            "big-parallel"
            "kvm"
          ];
          maxJobs = 32;
        }
      ];
    }

    # TODO: create syncthing os snippet
    (let
      tcp = [22000];
      udp = [
        22000
        21027
      ];
    in {
      # TODO: upstream feature for inverse rule to work: `! --in-interface zt+`
      networking.firewall.interfaces."en+".allowedTCPPorts = tcp;
      networking.firewall.interfaces."en+".allowedUDPPorts = udp;
      networking.firewall.interfaces."wl+".allowedTCPPorts = tcp;
      networking.firewall.interfaces."wl+".allowedUDPPorts = udp;

      networking.firewall.allowedTCPPorts = [
        # iperf3
        5201
      ];
    })

    ../../snippets/home-manager-with-zsh.nix
    ../../snippets/sway-desktop.nix
    ../../snippets/bluetooth.nix
    ../../snippets/timezone.nix
    ../../snippets/radicale.nix

    ../../snippets/holo-zerotier.nix
  ];

  networking.hostName = nodeName;
  networking.firewall.enable = true;
  networking.networkmanager.enable = true;

  nixpkgs.config.allowUnfree = true;

  environment.systemPackages = [
    pkgs.sshfs
    pkgs.util-linux
    pkgs.coreutils
    pkgs.vim

    pkgs.git
    pkgs.git-crypt
  ];

  system.stateVersion = "23.11";
  home-manager.users.root = _: {
    home.stateVersion = "23.11";
  };
  home-manager.users.steveej = _: {
    home.stateVersion = "23.11";

    imports = [
      ../../../home-manager/configuration/graphical-fullblown.nix
    ];

    home.sessionVariables = {};

    home.packages = with pkgs; [
    ];

    # TODO: currently unsupported
    services.gammastep.enable = lib.mkForce false;
  };

  boot = {
    loader.systemd-boot.enable = true;
    loader.efi.canTouchEfiVariables = lib.mkForce false;
    loader.efi.efiSysMountPoint = "/boot";
    blacklistedKernelModules = ["wwan"];
  };

  hardware.firmware = lib.mkBefore [
    nodeFlake.packages.${system}.x13s-ath11k-firmware
  ];

  # see https://linrunner.de/tlp/
  # TODO: find an equivalent to tlp that supports this machine
  services.tlp = {
    enable = false;
    settings = {
      START_CHARGE_THRESH_BAT0 = "80";
      STOP_CHARGE_THRESH_BAT0 = "85";
    };
  };

  # android on linux
  virtualisation.waydroid.enable = false;
  virtualisation.podman.enable = true;
  virtualisation.podman.dockerCompat = true;

  hardware.ledger.enable = true;

  nix.settings.substituters = [
    "https://nixos-x13s.cachix.org"
  ];

  nix.settings.trusted-public-keys = [
    "nixos-x13s.cachix.org-1:SzroHbidolBD3Sf6UusXp12YZ+a5ynWv0RtYF0btFos="
  ];

  steveej.holo-zerotier = {
    enable = true;
    autostart = false;
  };

  services.udev.packages = [
    pkgs.android-udev-rules
  ];
  programs.adb.enable = true;

  nix.settings.sandbox = lib.mkForce "relaxed";
}