{
  lib,
  pkgs,
  config,
  utils,
  inputs,
  ...
}:
{
  imports = [
    ./module.nix
    ./common-but-not.nix
    ./verify-system/nixos.nix
    ./nixos-rebuild.nix
    ./minimal-nixos.nix
  ];
  options.vacu.underTest = lib.mkOption {
    default = false;
    type = lib.types.bool;
  };
  options.vacu.acmeCertDependencies = lib.mkOption {
    default = { };
    example = ''
      vacu.acmeCertDependencies."mail.example.com" = [ "postfix.service" ];
    '';
    type = lib.types.attrsOf (lib.types.listOf utils.systemdUtils.lib.unitNameType);
  };
  config =
    let
      for-systemd-services = lib.concatMapAttrs (cert: units: {
        "acme-selfsigned-${cert}" = {
          wantedBy = units;
          before = units;
        };
      }) config.vacu.acmeCertDependencies;
      for-security-acme-certs = lib.concatMapAttrs (cert: units: {
        ${cert}.reloadServices = units;
      }) config.vacu.acmeCertDependencies;
    in
    {
      # the security warning might as well have said "its insecure maybe but there's nothing you can do about it"
      # presumably needed by nheko
      nixpkgs.config.permittedInsecurePackages = [ "olm-3.2.16" ];
      # nixpkgs.overlays = [ inputs.self.overlays.default ];

      console = {
        keyMap = lib.mkDefault "us";
      };
      networking.hostName = config.vacu.hostName;
      vacu.packages."xorg-xev" = {
        enable = config.services.xserver.enable;
        package = pkgs.xorg.xev;
      };
      environment.systemPackages = config.vacu.packageList;
      programs.git = lib.mkDefault {
        enable = true;
        lfs.enable = true;
      };
      programs.nix-ld.enable = true;
      system.nixos.tags = [
        "vacu${config.vacu.versionId}"
        config.vacu.hostName
      ];
      environment.etc."vacu.json".text = builtins.toJSON config.vacu.versionInfo;
      environment.etc."chromium".source = "/run/current-system/sw/etc/chromium";

      i18n.defaultLocale = lib.mkDefault "en_US.UTF-8";
      time.timeZone = "America/Los_Angeles";

      users.users.shelvacu = {
        openssh.authorizedKeys.keys = config.vacu.ssh.authorizedKeys;
        isNormalUser = true;
        extraGroups = [ "wheel" ];
      };
      systemd.services = for-systemd-services;
      security.acme.certs = for-security-acme-certs;
      services.openssh = {
        # require public key authentication for better security
        settings.PasswordAuthentication = false;
        settings.KbdInteractiveAuthentication = false;
        settings.PermitRootLogin = "prohibit-password";
      };

      nix.settings.trusted-users = [ "shelvacu" ];
      security.sudo.wheelNeedsPassword = lib.mkDefault false;

      programs.screen = {
        screenrc = ''
          defscrollback 10000
          termcapinfo xterm* ti@:te@
          maptimeout 5
        '';
      } // (if config.system.nixos.release == "23.11" then { } else { enable = true; });

      programs.tmux.enable = true;
      programs.tmux.extraConfig = "setw mouse";
      programs.tmux.clock24 = true;

      nix.settings = {
        experimental-features = [
          "nix-command"
          "flakes"
        ];
        substituters = lib.mkForce config.vacu.nix.substituterUrls;
        extra-substituters = lib.mkForce [ ];
        trusted-public-keys = lib.mkForce config.vacu.nix.trustedKeys;
        extra-trusted-public-keys = lib.mkForce [ ];
      };
      nixpkgs.config.allowUnfree = lib.mkDefault true;

      programs.mosh.enable = lib.mkDefault true;

      programs.ssh.extraConfig = config.vacu.ssh.config;

      security.pki.certificates = config.vacu.rootCAs;

      # commands.nix
      environment.pathsToLink = [
        "/share/vacufuncs"
        "/etc/chromium"
      ];
      vacu.shell.functionsDir = "/run/current-system/sw/share/vacufuncs";
      programs.bash.interactiveShellInit = config.vacu.shell.interactiveLines;
      programs.bash.promptInit = lib.mkForce "";
    };
}