{ pkgs, ... }:
{
  imports = [
    ./hardware-configuration.nix

    ../common/global
    ../common/users/lander

    ../common/optional/fonts.nix
    ../common/optional/keybase.nix
    ../common/optional/yubikey-gpg.nix
    ../common/optional/virt.nix
    ../common/optional/restic.nix
    ../common/optional/steam.nix
  ];

  networking = {
    hostName = "wodan";
    networkmanager.enable = true;
  };

  boot = {
    loader = {
      systemd-boot.enable = true;
      efi.canTouchEfiVariables = true;
    };

    initrd.luks.devices."luks-ed2282ac-fd73-4d82-9224-b7596b5b7cac".device =
      "/dev/disk/by-uuid/ed2282ac-fd73-4d82-9224-b7596b5b7cac";

    binfmt.emulatedSystems = [ "aarch64-linux" ];
  };

  services.xserver.enable = true;
  services.xserver.displayManager.gdm.enable = true;
  services.xserver.desktopManager.gnome.enable = true;
  services.xserver.xkb = {
    layout = "us";
    variant = "";
  };

  security.pam.loginLimits = [
    {
      domain = "@audio";
      item = "memlock";
      type = "-";
      value = "unlimited";
    }
    {
      domain = "@audio";
      item = "rtprio";
      type = "-";
      value = "99";
    }
    {
      domain = "@audio";
      item = "nofile";
      type = "soft";
      value = "99999";
    }
    {
      domain = "@audio";
      item = "nofile";
      type = "hard";
      value = "99999";
    }
  ];

  services.pulseaudio.enable = false;
  security.rtkit.enable = true;
  services.pipewire = {
    enable = true;
    alsa.enable = true;
    alsa.support32Bit = true;
    pulse.enable = true;
    jack.enable = true;
  };

  nixpkgs.config.allowUnfree = true;

  services.emacs = {
    enable = true;
    package = pkgs.emacs-unstable;
  };

  environment.systemPackages = with pkgs; [
    (firefox.override { nativeMessagingHosts = [ passff-host ]; })
    vim
    wget
    git
    texliveFull
    opentofu
    tf-summarize
    awscli2
    libreoffice
    ansible
    opensoundmeter
    helvum
    ardour
    yabridge
    yabridgectl
    wineWowPackages.stable
    winetricks
    tidal
    superdirt-start
    superdirt-install
  ];

  nix.settings = {
    experimental-features = [
      "nix-command"
      "flakes"
    ];

    substituters = [
      "https://cache.nixos.org/"
      "https://nix-community.cachix.org"
    ];

    trusted-public-keys = [
      "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
      "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
    ];
  };

  services.tailscale.enable = true;
  services.mullvad-vpn = {
    enable = true;
    package = pkgs.mullvad-vpn;
  };

  services.printing.enable = true;
  services.printing.drivers = [
    pkgs.brlaser
    pkgs.hplip
  ];
  services.avahi = {
    enable = true;
    nssmdns4 = true;
    openFirewall = true;
  };

  system.stateVersion = "24.05";
}