{ host }:

{ config, pkgs, ... }:
let
  artiq = builtins.getFlake git+https://github.com/m-labs/artiq.git;
in
{
  deployment.targetHost = host;
  deployment.hasFastConnection = true;
  nix.nixPath = [ "nixpkgs=${pkgs.path}" ];
  programs.command-not-found.dbPath = "${pkgs.path}/programs.sqlite";

  imports =
    [
      (./. + "/${host}-hardware-configuration.nix")
      ./avscan-module.nix
    ];
  nixpkgs.config.packageOverrides = super: let self = super.pkgs; in {
    libp11 = super.libp11.override({ openssl = super.openssl_1_1; });
    pam_p11 = super.pam_p11.overrideAttrs(oa: {
      patches = [];
      postPatch = ''
        substituteInPlace src/match_openssh.c --replace \
          '"%s/.ssh/authorized_keys", pw->pw_dir)' \
          '"/etc/ssh/authorized_keys.d/%s", pw->pw_name)'
        '';
    });
    gnome = super.gnome // {
       gnome-keyring = super.gnome.gnome-keyring.overrideAttrs(oa: {
          configureFlags = oa.configureFlags ++ ["--disable-ssh-agent"];
        });
    };
  };
  nixpkgs.config.permittedInsecurePackages = [
    "openssl-1.1.1w"
  ];

  boot.binfmt.emulatedSystems = [ "armv7l-linux" ];

  networking.hostName = host;
  networking.firewall.allowedTCPPorts = [ 1883 ];
  networking.firewall.allowedUDPPorts = [ 1883 ];

  time.timeZone = "Asia/Hong_Kong";

  # List packages installed in system profile. To search, run:
  # $ nix search wget
  nixpkgs.config.allowUnfree = true;
  environment.systemPackages = with pkgs; [
    opensc yubikey-manager yubikey-manager-qt yubico-piv-tool
    wget vim gitAndTools.gitFull sshfs
    firefox
    thunderbird
    chromium
    usbutils pciutils uhubctl file lm_sensors audacious acpi
    gimp imagemagick
    (python3.withPackages(ps: with ps; [ numpy scipy matplotlib qtconsole regex jinja2 ]))
    texlive.combined.scheme-full
    mosh psmisc libreoffice-fresh
    inkscape
    xournal
    xsane
    gtkwave unzip zip gnupg
    gnome3.gnome-tweaks
    jq sublime3 rink qemu_kvm
    tmux screen gdb minicom picocom
    artiq.packages.x86_64-linux.openocd-bscanspi
    xc3sprog
    gqrx
    emacs bat ripgrep
    guake
    vscodium
    waypipe
    virt-manager spice-gtk
    kicad
    any-nix-shell
  ];
  programs.wireshark.enable = true;
  programs.wireshark.package = pkgs.wireshark;
  virtualisation.libvirtd.enable = true;
  virtualisation.libvirtd.qemu.ovmf.enable = true;
  security.wrappers.spice-client-glib-usb-acl-helper = {
    source = "${pkgs.spice-gtk}/bin/spice-client-glib-usb-acl-helper";
    owner = "root";
    group = "root";
    setuid = true;
  };

  services.avscan.enable = true;

  services.openssh.enable = true;
  services.openssh.settings.PasswordAuthentication = false;
  services.openssh.extraConfig =
    ''
    StreamLocalBindUnlink yes
    '';
  programs.mosh.enable = true;

  services.pcscd.enable = true;
  programs.ssh.extraConfig =
    ''
    PKCS11Provider "${pkgs.opensc}/lib/opensc-pkcs11.so"
    '';
  programs.ssh.startAgent = true;
  programs.ssh.agentPKCS11Whitelist = "${pkgs.opensc}/lib/opensc-pkcs11.so";
  security.pam.p11.enable = true;

  # Enable CUPS to print documents.
  services.printing = {
    enable = true;
    extraConf =
      ''
      Browsing Off
      BrowseLocalProtocols none
      '';
    browsedConf =
      ''
      BrowseRemoteProtocols none
      BrowseProtocols none
      '';
  };
  services.avahi = {
    enable = true;
    nssmdns = true;
  };

  # Enable sound.
  sound.enable = true;
  hardware.pulseaudio = {
    enable = true;
    package = pkgs.pulseaudioFull;
  };

  hardware.opengl.driSupport32Bit = true;
  hardware.pulseaudio.support32Bit = true;

  fonts.packages = [ pkgs.noto-fonts pkgs.noto-fonts-cjk pkgs.noto-fonts-emoji pkgs.noto-fonts-extra pkgs.emacs-all-the-icons-fonts ];

  # Enable the X11 windowing system.
  services.xserver.enable = true;
  services.xserver.layout = "us";
  services.xserver.xkbOptions = "eurosign:e";

  services.xserver.displayManager.gdm.enable = true;
  services.xserver.desktopManager.gnome.enable = true;
  environment.gnome.excludePackages = [ pkgs.epiphany ];

  systemd.suppressedSystemUnits = [
      "hibernate.target"
      "suspend.target"
      "suspend-then-hibernate.target"
      "sleep.target"
      "hybrid-sleep.target"
      "systemd-hibernate.service"
      "systemd-hybrid-sleep.service"
      "systemd-suspend.service"
      "systemd-suspend-then-hibernate.service"
  ];

  hardware.bluetooth.enable = true;

  programs.zsh.enable = true;
  programs.fish.enable = true;
  programs.fish.promptInit = ''
    any-nix-shell fish --info-right | source
  '';
  users.mutableUsers = false;
  users.defaultUserShell = pkgs.fish;
  users.extraGroups.plugdev = { };
  users.extraUsers = import ./common-users.nix { inherit pkgs; };
  security.sudo.wheelNeedsPassword = false;
  services.udev.packages = [ artiq.packages.x86_64-linux.openocd-bscanspi ];
  services.udev.extraRules = (import ./extra-udev.nix);

  nix.settings.trusted-public-keys = ["nixbld.m-labs.hk-1:5aSRVA5b320xbNvu30tqxVPXpld73bhtOeH6uAjRyHc="];
  nix.settings.substituters = ["https://nixbld.m-labs.hk?priority=10"];
  nix.settings.extra-sandbox-paths = ["/opt"];

  nix.extraOptions = ''
    experimental-features = nix-command flakes impure-derivations
  '';
}