{ config, lib, pkgs, ... }:
{

  imports = [
    ../modules/profiles/laptop.nix
    ./disks.nix
    # TODO ./paperless.nix
  ];

  nixpkgs = {
    hostPlatform = "x86_64-linux";
    config.allowUnfree = true;
  };

  boot = {
    lanzaboote = {
      enable = true;
      pkiBundle = "/var/lib/sbctl";
    };
    kernelModules = [ "kvm-amd" ];
    extraModulePackages = [ pkgs.linuxPackages.v4l2loopback ];
    # Lanzaboote currently replaces the systemd-boot module.
    # This setting is usually set to true in configuration.nix
    # generated at installation time. So we force it to false
    # for now.
    loader.systemd-boot.enable = lib.mkForce false;
    initrd = {
      availableKernelModules = [
        "nvme"
        "xhci_pci"
        "thunderbolt"
        "usb_storage"
        "sd_mod"
      ];
      # Ensure that TPM module is loaded
      kernelModules = [ "tpm" ];
    };
  };

  environment.systemPackages = [
    # For debugging and troubleshooting Secure Boot.
    pkgs.sbctl
  ];

  hardware = {
    # NOTE: hardware.framework.enableKmod requires kernel patching, but enables access to some EC features
    bluetooth.enable = true;
    cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
    enableAllFirmware = true;
    framework.laptop13.audioEnhancement.enable = true;
    graphics = {
      enable = true;
      extraPackages = with pkgs; [
        vaapiVdpau
        libvdpau-va-gl
      ];
    };
  };

  powerManagement = {
    enable = true;
    cpuFreqGovernor = "schedutil";
    # TODO: Limit charge of battery, does this work without kernel patches from hardware.frameworkenableKmod?
    powerUpCommands = ''
      echo 80 > /sys/class/power_supply/BAT0/charge_control_stop_threshold
    '';
  };

  networking = {
    hostName = "stolas";
    firewall = {
      enable = true;
      allowedTCPPorts = [
        22000 # Syncthing
      ];
      allowedUDPPorts = [
        21027 # Syncthing
      ];
    };
  };

  nix = {
    settings.max-jobs = lib.mkDefault 16;
  };

  dadada = {
    admin.enable = true;
    backupClient.gs.enable = false;
    backupClient.backup1.enable = true;
    backupClient.backup2 = {
      enable = true;
      repo = "u355513-sub5@u355513-sub5.your-storagebox.de:/home/backup";
    };
  };

  programs = {
    adb.enable = true;
    firefox = {
      enable = true;
      package = pkgs.firefox-wayland;
    };
    gnupg.agent.enable = true;
    ssh.startAgent = true;
    wireshark.enable = true;
  };

  services = {
    avahi.enable = true;
    desktopManager.plasma6.enable = true;
    displayManager = {
      sddm.enable = true;
      sddm.wayland.enable = true;
    };
    gnome.gnome-keyring.enable = lib.mkForce false;
    smartd.enable = true;
    printing = {
      enable = true;
      browsing = true;
    };
    tlp.enable = false;
  };

  system = {
    stateVersion = "25.05";
  };

  systemd.services = {
    modem-manager.enable = lib.mkForce false;
    "dbus-org.freedesktop.ModemManager1".enable = lib.mkForce false;
  };

  systemd.sleep.extraConfig = ''
    HibernateDelaySec=1h
  '';

  virtualisation.libvirtd.enable = true;

  users = {
    users = {
      dadada = {
        initialHashedPassword = "$y$j9T$43qGBeY6hg6AXQmcVkS131$6AeRDOe6XAnmgA/AkJGaSIYTj5dbQLd9vrQ7zSyi5TA";
        isNormalUser = true;
        extraGroups = [
          "wheel"
          "networkmanager"
          "libvirtd"
          "adbusers"
          "kvm"
          "video"
          "scanner"
          "lp"
          "docker"
          "dialout"
          "wireshark"
          "paperless"
        ];
        shell = "/run/current-system/sw/bin/zsh";
      };
    };
  };

  # TODO
  # age.secrets = {
  #   paperless = {
  #     file = "${config.dadada.secrets.path}/paperless.age";
  #     mode = "700";
  #     owner = "paperless";
  #   };
  # };
  
  # Create compressing swap space in RAM
  zramSwap.enable = true;
}