{
  #cconfig,
  myData,
  ...
}:
let
  nvme = "/dev/disk/by-id/nvme-Samsung_SSD_970_EVO_Plus_2TB_S6P1NX0TA00913P";
in
{
  imports = [
    ../../modules
    ../../modules/profiles/desktop
    #../../modules/profiles/autorandr
    ../../modules/profiles/btrfs
  ];

  boot = {
    kernelModules = [ "kvm-intel" ];
    loader.systemd-boot.enable = true;
    initrd = {
      availableKernelModules = [
        "xhci_pci"
        "thunderbolt"
        "nvme"
        "usbhid"
        "tpm_tis"
      ];
      luks.devices = {
        luksroot = {
          device = "${nvme}-part3";
          allowDiscards = true;
        };
      };
    };
  };

  swapDevices = [
    {
      device = "${nvme}-part2";
      randomEncryption.enable = true;
    }
  ];

  fileSystems = {
    "/" = {
      device = "/dev/mapper/luksroot";
      fsType = "btrfs";
      options = [ "compress=zstd" ];
    };
    "/boot" = {
      device = "${nvme}-part1";
      fsType = "vfat";
    };
  };

  hardware.cpu.intel.updateMicrocode = true;
  nixpkgs.hostPlatform = "x86_64-linux";

  mj = {
    stateVersion = "24.05";
    timeZone = "Europe/Vilnius";
    username = "motiejus";

    base.users = {
      enable = true;
      devTools = true;
      root.initialPassword = "live";
      user.initialPassword = "live";
      #root.hashedPasswordFile = config.age.secrets.root-work-passwd-hash.path;
      #user.hashedPasswordFile = config.age.secrets.motiejus-work-passwd-hash.path;
    };

    services = {
      sshguard.enable = false;
      tailscale = {
        enable = true;
        verboseLogs = true;
      };

      #btrfssnapshot = {
      #  enable = true;
      #  subvolumes = [
      #    {
      #      subvolume = "/home";
      #      label = "5minutely";
      #      keep = 12;
      #      refreshInterval = "*:0/5";
      #    }
      #    {
      #      subvolume = "/home";
      #      label = "hourly";
      #      keep = 24;
      #      refreshInterval = "*:00:00";
      #    }
      #  ];
      #};

      #wifibackup = {
      #  enable = true;
      #  toPath = "/home/${config.mj.username}/M-Active/.wifi";
      #  toUser = config.mj.username;
      #};

      #remote-builder.client =
      #  let
      #    host = myData.hosts."fra1-b.servers.jakst";
      #  in
      #  {
      #    enable = true;
      #    inherit (host) system supportedFeatures;
      #    hostName = host.jakstIP;
      #    sshKey = "/etc/ssh/ssh_host_ed25519_key";
      #    maxJobs = 2;
      #  };

      node_exporter = {
        enable = true;
        extraSubnets = [ myData.subnets.vno1.cidr ];
      };

      deployerbot = {
        follower = {
          publicKeys = [ myData.hosts."fwminex.servers.jakst".publicKey ];

          enable = true;
          uidgid = myData.uidgid.updaterbot-deployee;
          sshAllowSubnets = with myData.subnets; [ tailscale.sshPattern ];
        };
      };

      #postfix = {
      #  enable = true;
      #  saslPasswdPath = config.age.secrets.sasl-passwd.path;
      #};

      #syncthing = {
      #  enable = true;
      #  dataDir = "/home/motiejus/";
      #  user = "motiejus";
      #  group = "users";
      #};

    };
  };

  networking = {
    hostName = "vno1-gdrx";
    domain = "motiejus.jakst";
    firewall.rejectPackets = true;
  };
}