{
  config,
  pkgs,
  inputs,
  lib,
  ...
}: let
  # hash for "nixos"
  defaultPasswordHash = "$y$j9T$u0O3PELyRv3GOemCReQhA0$Qb4Sl6dXnafYwZeDYrJGwS4xp3v6vGriWFMYomHH2w3";
in {
  nix = {
    package = pkgs.nixVersions.stable;
    extraOptions = ''
      experimental-features = nix-command flakes
    '';
    optimise.automatic = true;
    settings = {
      auto-optimise-store = true;
      trusted-users = ["root" "gabe"];
    };
    gc = {
      automatic = true;
      dates = "weekly";
      options = "--delete-older-than 30d";
    };
  };

  # Allow unfree packages
  nixpkgs.config.allowUnfree = true;

  time.timeZone = lib.mkDefault "Europe/Berlin";
  # Select internationalisation properties.
  i18n.defaultLocale = lib.mkDefault "en_US.UTF-8";

  # Configure keymap in X11
  services.xserver = {
    xkb.layout = lib.mkDefault "us";
    xkb.variant = lib.mkDefault "";
  };

  # packages that should be on every system.
  environment.systemPackages = with pkgs; [
    neovim
    rsync
  ];

  programs.zsh.enable = lib.mkDefault true;
  environment.shells = lib.mkDefault [pkgs.zsh];
  # if we arent setting our password from nix secrets, we need to allow changing it.
  users.mutableUsers = !inputs ? nix-secrets;
  users.users.${config.host.user} = {
    isNormalUser = true;
    hashedPassword =
      if inputs ? nix-secrets
      then (lib.removeSuffix "\n" (builtins.readFile "${inputs.nix-secrets}/password-hash"))
      else defaultPasswordHash;
    description = config.host.fullName;
    shell = pkgs.zsh;
    extraGroups = ["wheel"];
  };
  users.users.root.password =
    if inputs ? nix-secrets
    then (lib.removeSuffix "\n" (builtins.readFile "${inputs.nix-secrets}/password-hash"))
    else defaultPasswordHash;

  imports = [
    ../../modules/nixos
  ];

  home-manager.useGlobalPkgs = true;
  home-manager.useUserPackages = true;
  home-manager.extraSpecialArgs = {inherit inputs;};
}