{
    config,
    pkgs,
    inputs,
    ...
}: {
    # fuck broadcom
    nixpkgs.config.allowUnfree = true;

    # Use the systemd-boot EFI boot loader.
    boot.loader.systemd-boot.enable = true;
    boot.loader.efi.canTouchEfiVariables = true;

    time.timeZone = "Europe/Warsaw";

    nix.settings = {
        experimental-features = [
            "flakes"
            "nix-command"
        ];
        trusted-users = [
            "root"
            "chmura"
        ];
    };

    programs.zsh.enable = true;

    programs.direnv = {
        enable = true;
        nix-direnv.enable = true;
    };

    users.users.chmura = {
        isNormalUser = true;
        extraGroups = [ "wheel" "docker" ];
        shell = pkgs.zsh;
        packages = with pkgs; [
            curl
            neovim
            neofetch
            git
            wireguard-tools
            ntfy
            btop

            docker
            docker-compose
            nodePackages_latest.pnpm
            nodePackages_latest.prisma
            prisma-engines
            openssl
            pkg-config
            direnv
            nix-direnv

            git-annex
        ];
    };

    environment = {
        shells = with pkgs; [zsh];
        pathsToLink = [ "/share/zsh" ];
        sessionVariables = {
            EDITOR = "nvim";
        };
    };

    services.openssh = {
        enable = true;
        settings = {
            PasswordAuthentication = false;
            PermitRootLogin = "no";
        };
    };

    services.caddy = {
        enable = true;
        virtualHosts."trollface.pl".extraConfig = ''
            @discord {
                header_regexp User-Agent (?i)(Discord)
                path /
            }

            rewrite @discord /trollface.png

            root * ${./trollface.pl}
            file_server
        '';
        virtualHosts."test.jacekpoz.pl".extraConfig = ''
            reverse_proxy * localhost:3001
        '';
    };

    virtualisation = {
        #podman = {
        #    enable = true;
        #    dockerCompat = true;
        #};
        #oci-containers.backend = "podman";
        docker.enable = true;
    };

    networking.firewall.allowedTCPPorts = [ 80 443 22 ];

    system.stateVersion = "23.11";
}