{ repoFlake
, pkgs
, lib
, config
, nodeFlake
, nodeName
, localDomainName
, system
, ...
}:

{
  imports = [
    repoFlake.inputs.sops-nix.nixosModules.sops
    nodeFlake.inputs.disko.nixosModules.disko
    ./disko.nix

    ../../profiles/common/user.nix

    {
      nix.nixPath = [
        "nixpkgs=${pkgs.path}"
      ];

      nix.settings.experimental-features = [
        "nix-command"
        "flakes"
      ];

      nix.settings.max-jobs = lib.mkDefault "auto";
    }

    {
      services.openssh.enable = true;
      services.openssh.settings.PermitRootLogin = "yes";
      services.openssh.openFirewall = true;

      users.commonUsers = {
        enable = true;
        enableNonRoot = true;
      };

      sops.defaultSopsFile = ../../../../secrets/${nodeName}/secrets.yaml;
      sops.defaultSopsFormat = "yaml";
    }
  ];

  hardware.thinkpad-x13s = {
    enable = true;

    # TODO: use hardware address
    bluetoothMac = "65:9e:7a:8b:86:28";
  };

  networking = {
    hostName = nodeName;

    firewall.enable = true;

    useNetworkd = true;
    networkmanager.enable = false;
  };

  system.stateVersion = "23.11";

  nixpkgs.config.allowUnfree = true;

  environment.systemPackages = [
    pkgs.sshfs
    pkgs.util-linux
    pkgs.coreutils
    pkgs.vim

    pkgs.git
    pkgs.git-crypt
  ];
}