{
    inputs,
    pkgs,
    config',
    ...
}: {
    nixpkgs = {
        # fuck broadcom
        config.allowUnfree = true;
        overlays = [ inputs.neovim-nightly-overlay.overlay ];
    };

    boot.loader = {
        systemd-boot.enable = true;
        efi.canTouchEfiVariables = true;
    };

    time.timeZone = "Europe/Warsaw";

    nix.settings = {
        experimental-features = [
            "flakes"
            "nix-command"
        ];
        trusted-users = [
            "root"
            config'.username
        ];
    };

    networking.hostName = config'.hostname;

    programs.zsh.enable = true;

    programs.direnv = {
        enable = true;
        nix-direnv.enable = true;
    };

    users.users.${config'.username} = {
        isNormalUser = true;
        extraGroups = [ "wheel" "docker" ];
        shell = pkgs.zsh;
        packages = with pkgs; [
            curl
            neovim
            neofetch
            git
            wireguard-tools
            ntfy
            btop

            docker
            docker-compose
            nodePackages_latest.pnpm
            nodePackages_latest.prisma
            prisma-engines
            openssl
            pkg-config
            direnv
            nix-direnv

            git-annex
        ];
    };

    environment = {
        shells = with pkgs; [zsh];
        pathsToLink = [ "/share/zsh" ];
        sessionVariables = {
            EDITOR = "nvim";
        };
    };

    services.openssh = {
        enable = true;
        settings = {
            PasswordAuthentication = false;
            PermitRootLogin = "no";
        };
    };

    services.caddy = {
        enable = true;
        virtualHosts."trollface.pl".extraConfig = ''
            @discord {
                header_regexp User-Agent (?i)(Discord)
                path /
            }

            rewrite @discord /trollface.png

            root * ${./trollface.pl}
            file_server
        '';
        virtualHosts."test.jacekpoz.pl".extraConfig = ''
            reverse_proxy * localhost:3001
        '';
    };

    virtualisation = {
        podman = {
            enable = true;
            dockerCompat = true;
        };
        oci-containers.backend = "podman";
    };

    networking.firewall.allowedTCPPorts = [ 80 443 22 ];

    system.stateVersion = "23.11";
}