{
  modulesPath,
  repoFlake,
  packages',
  pkgs,
  lib,
  config,
  nodeFlake,
  nodeName,
  system,
  ...
}: let
  pkgsUnstable = import nodeFlake.inputs.nixpkgs-unstable {inherit (pkgs) system config;};
  pkgsVscodium = import repoFlake.inputs.nixpkgs-vscodium {inherit (pkgs) system config;};
in {
  disabledModules = [
  ];

  imports = [
    nodeFlake.inputs.disko.nixosModules.disko
    repoFlake.inputs.sops-nix.nixosModules.sops

    nodeFlake.inputs.srvos.nixosModules.roles-nix-remote-builder
    {
      roles.nix-remote-builder.schedulerPublicKeys = [
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINQ22z5rDdCLYH+MEoEt+tXJXTJqoeZNqvJl2n4aB+Kn steveej@steveej-x13s"

        # TODO: make this a reference to the private key's secret
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC8FHuK0k86iBWq41+NAhVwJqH1ZpGJe+q01m7iLviz6 root@steveej-t14"
      ];
    }

    ../../profiles/common/user.nix
    ../../snippets/nix-settings.nix
    ../../snippets/nix-settings-holo-chain.nix
    {
      nix.settings.sandbox = lib.mkForce "relaxed";
    }

    ../../snippets/holo-zerotier.nix

    # TODO
    # ./network.nix
    # ./monitoring.nix

    # user config
    ../../snippets/home-manager-with-zsh.nix
    {
      users.commonUsers = {
        enable = true;
        enableNonRoot = true;
      };

      home-manager.users.steveej = {pkgs, ...}: {
        imports = [
          ../../../home-manager/programs/pass.nix
        ];

        home.packages = [
          pkgs.nil
          pkgs.nixd
          pkgs.nixpkgs-fmt
          pkgs.alejandra
          pkgs.nixfmt

          repoFlake.packages.${system}.rperf

          # TODO: automate linking this
          # 1. get the commit with: `codium --version`
          # 2. create the binary directory: `mkdir -p /home/steveej/.vscodium-server/bin/c8ce3ba4bc6b30b3b10edc61481cb85b1d2396bc/bin/`
          # 3. link the binary. this relies on the client-side setting `"remote.SSH.experimental.serverBinaryName": "openvscode-server"` : ln -s $(which openvscode-server) /home/steveej/.vscodium-server/bin/c8ce3ba4bc6b30b3b10edc61481cb85b1d2396bc/bin/

          /*
          e.g.:
          ```
          (
            set -e
            export COMMIT=$(codium --version | rg '^[0-9a-f]{40}$')
            ssh bm-hostkey0 "pkill -9 openvscode; rm -rf /home/steveej/.vscodium-server/bin/$COMMIT; mkdir -p /home/steveej/.vscodium-server/bin/$COMMIT/bin/; ln -s \$(which openvscode-server) /home/steveej/.vscodium-server/bin/$COMMIT/bin/"
          )
          ```
          */
          (pkgsVscodium.openvscode-server.overrideAttrs (attrs: {
            src = repoFlake.inputs.openvscode-server;
            version = "1.88.1";
            yarnCache = attrs.yarnCache.overrideAttrs (_: {outputHash = "sha256-89c6GYLT2RzHqwxBKegYqB6g5rEJ6/nH53cnfV7b0Ts=";});
          }))

          pkgs.waypipe

        ];
      };

      programs.zsh.enable = true;
      users.defaultUserShell = pkgs.zsh;
      environment.pathsToLink = ["/share/zsh"];
    }

    ../../snippets/mycelium.nix
  ];

  services.openssh.enable = true;
  services.openssh.settings.PermitRootLogin = "yes";
  services.openssh.extraConfig = ''
    StreamLocalBindUnlink yes
  '';

  boot = {
    kernel = {
      sysctl = {
        "net.ipv4.conf.all.forwarding" = true;
        "net.ipv6.conf.all.forwarding" = true;
      };
    };
  };

  networking = {
    hostName = nodeName;
    useNetworkd = true;
    useDHCP = true;

    # No local firewall.
    nat.enable = true;
    firewall.enable = false;

    firewall.allowedTCPPorts = [
      5201
    ];
    firewall.allowedUDPPorts = [
      5201
    ];
  };

  disko.devices = let
    disk = id: {
      type = "disk";
      device = "/dev/${id}";
      content = {
        type = "gpt";
        partitions = {
          boot = {
            size = "1M";
            type = "EF02"; # for grub MBR
          };
          mdadm = {
            size = "100%";
            content = {
              type = "mdraid";
              name = "raid0";
            };
          };
        };
      };
    };
  in {
    disk = {
      sda = disk "sda";
      sdb = disk "sdb";
    };
    mdadm = {
      raid0 = {
        type = "mdadm";
        level = 0;
        content = {
          type = "gpt";
          partitions = {
            primary = {
              size = "100%";
              content = {
                type = "filesystem";
                format = "btrfs";
                mountpoint = "/";
              };
            };
          };
        };
      };
    };
  };

  system.stateVersion = "23.11";

  boot.kernelPackages = pkgs.linuxPackages_latest;
  boot.initrd.includeDefaultModules = true;
  boot.initrd.kernelModules = [
    "dm-raid"
    "dm-integrity"
    "xhci_pci_renesas"
  ];

  hardware.enableRedistributableFirmware = true;

  environment.systemPackages = [
    pkgs.hdparm
    pkgs.fuse
  ];

  programs.fuse.userAllowOther = true;

  services.caddy.enable = true;
  services.caddy.email = "mail@stefanjunker.de";
  services.caddy.globalConfig = ''
    auto_https disable_redirects
  '';
  services.caddy.virtualHosts = let
    holochainDomain = "dev.infra.holochain.org";
  in {
    "${nodeName}.${holochainDomain}" = {
      extraConfig = ''
        handle_path /s3/* {
          reverse_proxy http://127.0.0.1:9000
        }
      '';
    };
  };

  # home-manager.users.steveej = _: {
  #   imports = [
  #     ../../../home-manager/configuration/text-minimal.nix
  #   ];

  #   home.sessionVariables = {
  #   };

  #   home.packages = with pkgs; [
  #   ];
  # };

  virtualisation.libvirtd.enable = true;
  virtualisation.docker.enable = true;

  virtualisation.podman.enable = true;
  virtualisation.podman.autoPrune.enable = true;
  # virtualisation.podman.dockerSocket.enable = true;

  boot.binfmt.emulatedSystems = [
    "aarch64-linux"
  ];

  steveej.holo-zerotier = {
    enable = true;
    autostart = false;
  };
}