{
  lib,
  pkgs,
  ...
}@args:
{
  boot = {
    tmp.cleanOnBoot = true;
    loader = {
      systemd-boot.enable = true;
      efi.canTouchEfiVariables = true;
    };
  };

  time.timeZone = "Asia/Singapore";

  networking.networkmanager = {
    enable = true;
  };

  networking.nftables.enable = true;
  networking.firewall = {
    enable = true;
    allowedTCPPorts = [ 22 3000 3001 ];
    trustedInterfaces = [ "tailscale0" ];
  };

  services.openssh = {
    enable = true;
    settings.PasswordAuthentication = false;
  };
  users.users.yadunut = {
    shell = pkgs.zsh;
    extraGroups = [ "input" ];
  };
  programs.zsh.enable = true;

  nix = {
    optimise = {
      automatic = true;
    };
    settings = {
      trusted-users = [ "root" "yadunut" ];
      experimental-features = [
        "nix-command"
        "flakes"
      ];
    };
  };

  services.tailscale.enable = true;
  services.pipewire = {
    enable = true;
    alsa.enable = true;
    pulse.enable = true;
    jack.enable = true;
  };

  services.greetd = {
    enable = true;
    settings = rec {
      initial_session={
        command = "uwsm start hyprland-uwsm.desktop";
        user = "yadunut";
      };
      default_session = initial_session;
    };
  };
  hardware.bluetooth.enable = true;
  services.blueman.enable = true;
  security.rtkit.enable = true;

  nixpkgs.config = {
    allowUnfree = true;
    rocmSupport = true;
  };

  services.ollama = {
    enable = true;
    host = "0.0.0.0";
    port = 11434;
  };

  programs.hyprland = {
    enable = true;
    withUWSM = true;
  };

  programs._1password.enable = true;
  programs._1password-gui.enable = true;
  networking.hostName = "penguin";

  environment.systemPackages = with pkgs; [
    git
    neovim
    kdePackages.dolphin
    wofi
    dunst
    hyprpolkitagent
    nixd
    brightnessctl
    open-webui
  ];

  services.sunshine = {
    enable = true;
    capSysAdmin = true;
  };

  virtualisation.podman = {
    enable = true;
    dockerCompat = true;
    defaultNetwork.settings.dns_enabled = true;
  };

  # gnome keyring
  services.gnome.gnome-keyring.enable = true;
  security.pam.services = {
    greetd.enableGnomeKeyring = true;
    login.enableGnomeKeyring = true;
  };

  fonts.packages = with pkgs;[ nerd-fonts.jetbrains-mono font-awesome
    noto-fonts
    noto-fonts-emoji
    noto-fonts-cjk-sans
    noto-fonts-extra
  ];
  system.stateVersion = "25.11";
}