{
  me,
  pkgs,
  auxiliaryPkgs,
  unstablePkgs,
  ...
}:
{
  imports = [
    ./nix.nix
    ./user.nix
    ./locale.nix
    ./vim.nix
    ./tmux.nix
    ./nix-ld.nix
  ];

  services.envfs.enable = true;

  virtualisation = {
    libvirtd.enable = true;
    docker.enable = true;
  };

  # fish enables this by default,
  # it makes every nixos rebuild very slow.
  documentation.man.generateCaches = false;
  documentation = {
    info.enable = true;
    doc.enable = true;
    dev.enable = true;
    nixos = {
      enable = true;
      includeAllModules = true;
    };
  };

  networking.hostName = me.name;
  services.resolved.enable = true;

  users.users.mel.openssh.authorizedKeys.keys = [
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINTG/DHTkuQgwLakSBuXx3XBe+WjUmDlSgLBGzldx/ZD mel@moissanite"
  ];
  services = {
    acpid.enable = true;
    tailscale = {
      enable = true;
      useRoutingFeatures = "both";
      extraUpFlags = [ "--ssh" ];
    };

    openssh = {
      enable = true;
      ports = [ 62322 ]; # listen on random port
      openFirewall = true;
      settings = {
        PasswordAuthentication = false;
        KbdInteractiveAuthentication = false;
        PermitRootLogin = "no";
      };
    };

    # annoy every ssh spammer
    endlessh = {
      enable = true;
      port = 22;
      openFirewall = true;
    };

    # ban those who found the real port
    fail2ban.enable = true;

    # sometimes needed for gnupg
    pcscd.enable = true;
  };

  programs = {
    fish.enable = true;
    git.enable = true;

    gnupg.agent = {
      enable = true;
      enableSSHSupport = true;
      pinentryPackage = pkgs.pinentry-curses;
    };
  };

  environment.systemPackages = (with pkgs; [
    file unzip jq dig htop wget screen dive
    gnupg pinentry-curses age agenix minisign openssl cryptsetup pamtester
    inetutils pciutils usbutils lshw lsof inxi iw pmutils acpi acpid
    minicom miniserve netcat-gnu socat tcpdump nmap iftop iperf mtr arp-scan ethtool
    mitmproxy 
    yt-dlp ffmpeg_7-full imagemagick
    senpai
    qemu_full virtiofsd

    openvpn openvpn3 update-resolv-conf

    ripgrep hyperfine parallel just fzf bat delta eza fd tokei didyoumean
    universal-ctags compiledb graphviz
    python3 uv ruff
    nodejs_22 deno yarn
    rustc rustup cargo rustfmt
    go gopls delve go-task gotags golangci-lint
    meson cmake gnumake ninja gdb gcc clang clang-tools
    hare haredoc
    jdk maven gradle
    nil nixfmt-rfc-style
    nixpkgs-review nixpkgs-fmt nixpkgs-lint-community
    postgresql
    helix alacritty

    ubootTools dtc cloud-utils
    borgbackup

    man-pages man-pages-posix
  ]) ++ (with unstablePkgs; [
    claude-code gemini-cli
  ]) ++ (with auxiliaryPkgs; [
  ]);

  environment.etc.openvpn.source = "${pkgs.update-resolv-conf}/libexec/openvpn";
}