{
  repoFlake,
  nodeFlake,
  pkgs,
  lib,
  config,
  nodeName,
  localDomainName,
  system,
  ...
}: {
  nixos-x13s = {
    enable = true;
    # TODO: use hardware address
    bluetoothMac = "65:9e:7a:8b:86:28";
  };

  services.illum.enable = true;

  systemd.services.bluetooth-mac = {
    enable = true;
    path = [
      pkgs.systemd
      pkgs.util-linux
      pkgs.bluez5-experimental
      pkgs.expect
    ];
    script = ''
      # TODO: this may not be required
      while ! (journalctl -b0 | grep 'Bluetooth: hci0: QCA setup on UART is completed'); do
        echo Waiting for bluetooth firmware to complete
        echo sleep 1
      done

      (
        # best effort
        set +e
        rfkill block bluetooth
        echo $?
        btmgmt public-addr ${config.nixos-x13s.bluetoothMac}
        echo $?
        rfkill unblock bluetooth
        echo $?
      )
    '';
    requiredBy = ["bluetooth.service"];
    before = ["bluetooth.service"];
    serviceConfig = {
      Type = "oneshot";
      RemainAfterExit = true;

      # we need a tty, otherwise btmgmt will hang
      StandardInput = "tty";
      TTYPath = "/dev/tty2";
      TTYReset = "yes";
      TTYVHangup = "yes";
    };
  };

  imports = [
    nodeFlake.inputs.nixos-x13s.nixosModules.default

    repoFlake.inputs.sops-nix.nixosModules.sops
    nodeFlake.inputs.disko.nixosModules.disko
    ./disko.nix

    ../../snippets/nix-settings.nix
    ../../profiles/common/user.nix

    {
      services.openssh.enable = true;
      services.openssh.settings.PermitRootLogin = "yes";
      services.openssh.openFirewall = true;

      sops.defaultSopsFile = ../../../../secrets/${nodeName}/secrets.yaml;
      sops.defaultSopsFormat = "yaml";

      users.commonUsers = {
        enable = true;
        enableNonRoot = true;
      };
    }

    ../../snippets/home-manager-with-zsh.nix
    ../../snippets/sway-desktop.nix
    ../../snippets/bluetooth.nix
    ../../snippets/timezone.nix
    ../../snippets/radicale.nix
  ];

  networking.hostName = nodeName;
  networking.firewall.enable = true;
  networking.networkmanager.enable = true;

  nixpkgs.config.allowUnfree = true;

  environment.systemPackages = [
    pkgs.sshfs
    pkgs.util-linux
    pkgs.coreutils
    pkgs.vim

    pkgs.git
    pkgs.git-crypt
  ];

  system.stateVersion = "23.11";
  home-manager.users.root = _: {
    home.stateVersion = "23.11";
  };
  home-manager.users.steveej = _: {
    home.stateVersion = "23.11";

    imports = [
      ../../../home-manager/configuration/graphical-fullblown.nix
    ];

    home.sessionVariables = {};

    home.packages = with pkgs; [
    ];

    # TODO: currently unsupported
    services.gammastep.enable = lib.mkForce false;
    # programs.chromium.enable = lib.mkForce false;
  };

  boot = {
    loader.systemd-boot.enable = true;
    loader.efi.canTouchEfiVariables = lib.mkForce false;
    loader.efi.efiSysMountPoint = "/boot";
    blacklistedKernelModules = ["wwan"];
  };

  # see https://linrunner.de/tlp/
  # TODO: find an equivalent to tlp that supports this machine
  services.tlp = {
    enable = false;
    settings = {
      START_CHARGE_THRESH_BAT0 = "80";
      STOP_CHARGE_THRESH_BAT0 = "85";
    };
  };

  # android on linux
  virtualisation.waydroid.enable = true;
  virtualisation.podman.enable = true;
  virtualisation.podman.dockerCompat = true;

  hardware.ledger.enable = true;
}