{ host, rpi4, experimental-users ? false }:

{ config, pkgs, ... }:
let
  m-labs = import (fetchTarball https://nixbld.m-labs.hk/channel/custom/artiq/full/artiq-full/nixexprs.tar.xz) { inherit pkgs; };
in
{
  deployment.targetHost = host;
  deployment.hasFastConnection = true;
  nix.nixPath = [ "nixpkgs=${pkgs.path}" ];
  programs.command-not-found.dbPath = "${pkgs.path}/programs.sqlite";
  nixpkgs.system = "aarch64-linux";

  boot.loader.grub.enable = false;
  boot.loader.generic-extlinux-compatible.enable = true;
  boot.kernelParams = if rpi4 then ["cma=64M"] else []; # work around https://github.com/raspberrypi/linux/issues/3208
  boot.kernelPackages = if rpi4 then pkgs.linuxPackages_rpi4 else pkgs.linuxPackages_rpi3;
  boot.initrd.includeDefaultModules = false;

  # work around https://github.com/NixOS/nixpkgs/issues/125354
  disabledModules = [ "hardware/device-tree.nix" ];
  imports = [ ./device-tree-module.nix ];
  nixpkgs.config.packageOverrides = super: let self = super.pkgs; in {
    deviceTree = super.callPackage ./device-tree-pkg.nix {};
  };
  hardware.deviceTree.enable = true;
  hardware.deviceTree.base = pkgs.device-tree_rpi;
  hardware.deviceTree.overlays = [ "${pkgs.device-tree_rpi.overlays}/rpi-poe.dtbo" ];


  fileSystems = {
    "/" = {
      device = "/dev/disk/by-label/NIXOS_SD";
      fsType = "ext4";
    };
  };

  services.openssh.enable = true;
  services.openssh.passwordAuthentication = false;
  services.openssh.gatewayPorts = "clientspecified";
  services.openssh.extraConfig =
    ''
    StreamLocalBindUnlink yes
    '';
  programs.mosh.enable = true;

  networking.hostName = host;

  networking.firewall.allowedTCPPorts = if host == "rpi-2" then [ 6000 ] else [];

  time.timeZone = "Asia/Hong_Kong";

  users.extraGroups.plugdev = { };
  users.mutableUsers = false;
  users.defaultUserShell = pkgs.fish;
  users.extraUsers = (import ./common-users.nix { inherit pkgs; }) //
    (pkgs.lib.optionalAttrs experimental-users (import ./experimental-users.nix { inherit pkgs; })) // {
    nix = {
      isNormalUser = true;
    };
    nixbld = {
      isNormalUser = true;
      extraGroups = ["plugdev" "dialout"];
      openssh.authorizedKeys.keys = [
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGJGICdNM9mHHAa1Cxk9Wz3YLkIEeqrIQGxM0aoy1g5O"
      ];
    };
  };
  security.sudo.wheelNeedsPassword = false;
  services.udev.packages = [ m-labs.openocd ];
  services.udev.extraRules = (import ./extra-udev.nix);

  documentation.enable = false;
  environment.systemPackages = with pkgs; [
    psmisc wget vim git sshfs usbutils uhubctl lm_sensors file telnet mosh tmux xc3sprog m-labs.openocd screen gdb minicom picocom
  ];
  programs.fish.enable = true;
  programs.wireshark.enable = true;

  nix.binaryCachePublicKeys = ["nixbld.m-labs.hk-1:5aSRVA5b320xbNvu30tqxVPXpld73bhtOeH6uAjRyHc="];
  nix.binaryCaches = ["https://cache.nixos.org" "https://nixbld.m-labs.hk"];
  nix.trustedUsers = ["root" "nix" "sb"];

  nix.package = pkgs.nix_2_4;
  nix.extraOptions = ''
    experimental-features = nix-command flakes
  '';
}