{
  repoFlake,
  nodeFlake,
  pkgs,
  lib,
  config,
  nodeName,
  system,
  packages',
  ...
}:
{
  nixpkgs.overlays = [ nodeFlake.overlays.default ];

  nixos-x13s = {
    enable = true;
    # TODO: use hardware address
    bluetoothMac = "65:9e:7a:8b:86:28";
    kernel = "jhovold";
  };

  services.illum.enable = true;

  # printint and autodiscovery of printers
  services.printing.enable = true;
  services.printing.drivers = [ pkgs.hplip ];
  services.avahi = {
    enable = true;
    nssmdns4 = true;
    openFirewall = true;
  };
  hardware.sane.enable = true; # enables support for SANE scanners

  systemd.services.bluetooth-x13s-mac = lib.mkForce {
    enable = true;
    path = [
      pkgs.systemd
      pkgs.util-linux
      pkgs.bluez5-experimental
      pkgs.expect
    ];
    script = ''
      # TODO: this may not be required
      while ! (journalctl -b0 | grep 'Bluetooth: hci0: QCA setup on UART is completed'); do
        echo Waiting for bluetooth firmware to complete
        echo sleep 1
      done

      (
        # best effort
        set +e
        rfkill block bluetooth
        echo $?
        btmgmt public-addr ${config.nixos-x13s.bluetoothMac}
        echo $?
        rfkill unblock bluetooth
        echo $?
      )
    '';
    requiredBy = [ "bluetooth.service" ];
    before = [ "bluetooth.service" ];
    serviceConfig = {
      Type = "oneshot";
      RemainAfterExit = true;

      # we need a tty, otherwise btmgmt will hang
      StandardInput = "tty";
      TTYPath = "/dev/tty2";
      TTYReset = "yes";
      TTYVHangup = "yes";
    };
  };

  imports = [
    nodeFlake.inputs.nixos-x13s.nixosModules.default

    repoFlake.inputs.sops-nix.nixosModules.sops
    nodeFlake.inputs.disko.nixosModules.disko
    ./disko.nix

    ../../profiles/common/user.nix

    ../../snippets/nix-settings.nix
    ../../snippets/nix-settings-holo-chain.nix
    ../../snippets/mycelium.nix
    ../../snippets/obs-studio.nix

    {
      services.openssh.enable = true;
      services.openssh.settings.PermitRootLogin = "yes";
      services.openssh.openFirewall = true;

      sops.defaultSopsFile = ../../../../secrets/${nodeName}/secrets.yaml;
      sops.defaultSopsFormat = "yaml";

      users.commonUsers = {
        enable = true;
        enableNonRoot = true;
      };

      sops.secrets.builder-private-key = { };
      nix.distributedBuilds = true;
      nix.buildMachines = [
        # test these with: sudo nix store ping --store 'ssh-ng://nix-remote-builder@<fqdn>?ssh-key=/run/secrets/builder-private-key'
        {
          hostName = "buildbot-nix-0.infra.holochain.org";
          sshUser = "nix-remote-builder";
          sshKey = config.sops.secrets.builder-private-key.path;
          protocol = "ssh-ng";
          systems = [ "x86_64-linux" ];
          supportedFeatures = [
            "big-parallel"
            "kvm"
            "nixos-test"
          ];
          maxJobs = 16;
        }

        {
          hostName = "aarch64-linux-builder-0.infra.holochain.org";
          sshUser = "nix-remote-builder";
          sshKey = config.sops.secrets.builder-private-key.path;
          protocol = "ssh-ng";
          systems = [ "aarch64-linux" ];
          supportedFeatures = [
            "big-parallel"
            "kvm"
            "nixos-test"
          ];
          maxJobs = 4;
        }

        {
          hostName = "x64-linux-dev-01.dev.infra.holochain.org";
          sshUser = "nix-remote-builder";
          sshKey = config.sops.secrets.builder-private-key.path;
          protocol = "ssh-ng";
          systems = [
            # "x86_64-linux"
            "aarch64-linux"
          ];
          supportedFeatures = [
            "big-parallel"
            "kvm"
            "nixos-test"
          ];
          maxJobs = 0;
        }
      ];
    }

    # TODO: create syncthing os snippet
    (
      let
        tcp = [ 22000 ];
        udp = [
          22000
          21027
        ];
      in
      {
        # TODO: upstream feature for inverse rule to work: `! --in-interface zt+`
        networking.firewall.interfaces."en+".allowedTCPPorts = tcp;
        networking.firewall.interfaces."en+".allowedUDPPorts = udp;
        networking.firewall.interfaces."wl+".allowedTCPPorts = tcp;
        networking.firewall.interfaces."wl+".allowedUDPPorts = udp;

        networking.firewall.allowedTCPPorts = [
          # iperf3
          5201
        ];
      }
    )

    ../../snippets/home-manager-with-zsh.nix
    ../../snippets/sway-desktop.nix
    ../../snippets/bluetooth.nix
    ../../snippets/timezone.nix
    ../../snippets/radicale.nix

    ../../snippets/holo-zerotier.nix

    ../../snippets/k3s-w-nix-snapshotter.nix
  ];

  networking.hostName = nodeName;
  networking.firewall.enable = true;
  networking.networkmanager.enable = true;

  nixpkgs.config.allowUnfree = true;

  environment.systemPackages = [
    pkgs.sshfs
    pkgs.util-linux
    pkgs.coreutils
    pkgs.vim

    pkgs.git
    pkgs.git-crypt
  ];

  system.stateVersion = "23.11";
  home-manager.users.root = _: { home.stateVersion = "23.11"; };
  home-manager.users.steveej = _: {
    home.stateVersion = "23.11";

    imports = [ ../../../home-manager/configuration/graphical-fullblown.nix ];

    nixpkgs.overlays = [ nodeFlake.overlays.default ];

    home.sessionVariables = { };

    home.packages = with pkgs; [ ];

    # TODO(upstream): currently unsupported on x13s
    services.gammastep.enable = true;
  };

  boot = {
    loader.systemd-boot.enable = true;
    loader.systemd-boot.configurationLimit = 5;

    loader.efi.canTouchEfiVariables = lib.mkForce false;
    loader.efi.efiSysMountPoint = "/boot";
    blacklistedKernelModules = [ "wwan" ];
  };

  hardware.firmware = lib.mkBefore [
    packages'.x13s-bt-firmware
    packages'.x13s-ath11k-firmware
  ];

  # see https://linrunner.de/tlp/
  # TODO: find an equivalent to tlp that supports this machine
  services.tlp = {
    enable = false;
    settings = {
      START_CHARGE_THRESH_BAT0 = "80";
      STOP_CHARGE_THRESH_BAT0 = "85";
    };
  };

  # android on linux
  virtualisation.waydroid.enable = true;
  hardware.ledger.enable = true;

  virtualisation.containers.enable = true;
  virtualisation.podman.enable = true;

  steveej.holo-zerotier = {
    enable = true;
    autostart = false;
  };

  services.udev.packages = [ pkgs.android-udev-rules ];
  programs.adb.enable = true;

  nix.settings.sandbox = lib.mkForce "relaxed";

  systemd.user.services.wireplumber.environment.LIBCAMERA_IPA_PROXY_PATH = "${pkgs.libcamera}/libexec/libcamera";
}