{ config, lib, pkgs, ... }:
let ports = {
  minecraft = 25565;
}; in
{
  age.secrets.test-secret.file = ../secrets/test-secret.age;
  age.secrets.test-secret.owner = "orbekk";
  orbekk.backups.enableServer = true;
  orbekk.backups.enableClient = true;

  orbekk.gaming.enable = true;
  orbekk.desktop.enable = true;
  orbekk.thinkpad.enable = true;
  orbekk.simple-firewall.allowedTCPPorts = [ ports.minecraft 631 5353 ]; # socks proxy
  orbekk.development.enable = true;

  orbekk.vpn.enable = true;

  system.autoUpgrade.enable = lib.mkForce false;
  services.printing.enable = true;
  services.printing.drivers = with pkgs; [ gutenprint brlaser ];
  services.openssh.enable = true;

  # Keycloak config
  # age.secrets."dragon-keycloak.age".file = ../secrets/dragon-keycloak.age;
  # services.postgresql.enable = true;
  # services.keycloak = {
  #   enable = true;
  #   settings.hostname = "localhost:11118";
  #   settings.log-level = "INFO";
  #   settings.http-port = (import ../data/aliases.nix).services.keycloak.http-port;
  #   settings.hostname-strict-https = false;
  #   settings.proxy = "edge";
  #   database.type = "postgresql";
  #   database.passwordFile = config.age.secrets."dragon-keycloak.age".path;
  # };

  networking.networkmanager.enable = true;

  networking = {
    hostName = "pincer";
  };

  programs.xwayland.enable = true;
  programs.dconf.enable = true;
  # environment.systemPackages = with pkgs; [ river ];

  programs.sway = {
    enable = true;
    wrapperFeatures.gtk = true; # so that gtk works properly
    extraPackages = with pkgs; [
      grim
      swaylock
      swayidle
      wl-clipboard
      mako # notification daemon
      alacritty # Alacritty is the default terminal in the config
      dmenu # Dmenu is the default in the config but i recommend wofi since its wayland native
      foot
    ];
  };
  # services.displayManager.slim.enable = lib.mkForce false;
  # services.xserver.desktopManager.kodi.enable = true;

  boot = {
    loader.grub = {
      enable = true;
      device = "nodev";
      efiSupport = true;
      ipxe = {
        test = ''
              #!ipxe
        '';
        demo = ''
              #!ipxe
              dhcp
              chain http://boot.ipxe.org/demo/boot.php
        '';
      };
    };
    loader.efi.canTouchEfiVariables = true;
    # 6.4 is broken: https://github.com/NixOS/nixpkgs/issues/243830
    # kernelPackages = pkgs.linuxPackages_latest;
    kernelModules = ["xpad" "kvm-intel" ];

    initrd.luks.devices = {
      cryptroot = {
        device = "/dev/sda6";
        allowDiscards = true;
      };
    };

    extraModprobeConfig = ''
      # option iwlwifi swcrypto=1
      options iwlmvm power_scheme=1
    '';
  };

  fileSystems = {
    "/boot" = {
      mountPoint = "/boot";
      device = "/dev/sda1";
      fsType = "vfat";
    };
    "/" = {
      mountPoint = "/";
      device = "/dev/mapper/cryptroot";
      fsType = "btrfs";
      options = ["subvol=active/nixos-root" "discard" "compress=lzo"];
    };
    "/btrfs" = {
      mountPoint = "/btrfs";
      device = "/dev/mapper/cryptroot";
      fsType = "btrfs";
      options = ["discard" "compress=lzo"];
    };
  };
  
  systemd.extraConfig = "DefaultLimitNOFILE=1048576";
  
  security.pam.loginLimits = [{
      domain = "*";
      type = "hard";
      item = "nofile";
      value = "1048576";
  }];

  # hardware-configuration.nix
  boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "sd_mod" ];
  hardware.enableRedistributableFirmware = lib.mkDefault true;
  system.stateVersion = "17.04";
}