{ repoFlake
, nodeFlake
, pkgs
, lib
, config
, nodeName
, localDomainName
, system
, ...
}:

{
  imports = [
    repoFlake.inputs.sops-nix.nixosModules.sops
    nodeFlake.inputs.disko.nixosModules.disko
    ./disko.nix

    repoFlake.nixosModules.thinkpad-x13s

    ../../profiles/common/pkg.nix

    {
      # flake registry
      nix.registry.nixpkgs.flake = nodeFlake.inputs.nixpkgs;

      nix.nixPath = [
        "nixpkgs=${pkgs.path}"
      ];

      nix.settings.experimental-features = [
        "nix-command"
        "flakes"
      ];

      nix.settings.max-jobs = lib.mkDefault "auto";
    }

    ../../profiles/common/user.nix

    {
      services.openssh.enable = true;
      services.openssh.settings.PermitRootLogin = "yes";
      services.openssh.openFirewall = true;

      # sops.defaultSopsFile = ../../../../secrets/${nodeName}/secrets.yaml;
      # sops.defaultSopsFormat = "yaml";

      users.commonUsers = {
        enable = true;
        enableNonRoot = true;
        installPassword = "install";
      };
    }

    nodeFlake.inputs.home-manager.nixosModules.home-manager

    ../../snippets/sway-desktop.nix
    # ../../snippets/radicale.nix
  ];

  hardware.thinkpad-x13s = {
    enable = true;

    # TODO: use hardware address
    bluetoothMac = "65:9e:7a:8b:86:28";
  };

  networking.hostName = nodeName;
  networking.firewall.enable = true;
  networking.networkmanager.enable = true;

  nixpkgs.config.allowUnfree = true;

  environment.systemPackages = [
    pkgs.sshfs
    pkgs.util-linux
    pkgs.coreutils
    pkgs.vim

    pkgs.git
    pkgs.git-crypt
  ];

  system.stateVersion = "23.11";
  home-manager.users.steveej = _: {
    home.stateVersion = "23.11";

    imports = [
      ../../../home-manager/configuration/graphical-fullblown.nix
    ];

    home.sessionVariables = { };

    home.packages = with pkgs; [
    ];
  };
}