{
  nixpkgs,
  config,
  pkgs,
  ...
}:
let
  cfg = config.machine;
in
{
  imports = [ "${nixpkgs}/nixos/modules/installer/scan/not-detected.nix" ];

  boot = {
    loader.systemd-boot = {
      enable = true;
      #      signed = true;
      #      signing-key = "${cfg.secretPath}/secureboot/db.key";
      #      signing-certificate = "${cfg.secretPath}/secureboot/db.crt";
    };
    loader.efi.canTouchEfiVariables = true;
    tmp = {
      cleanOnBoot = true;
    };
    supportedFilesystems = [ "btrfs" ];
    kernelPackages = pkgs.linuxPackages_latest;
    initrd = {
      availableKernelModules = [
        "xhci_pci"
        "ahci"
        "sd_mod"
        "rtsx_pci_sdmmc"
      ];
      luks.devices."btrfs-crypt".device = "/dev/disk/by-uuid/10435741-b864-453d-ab18-4dc710db1378";
    };
    kernelModules = [
      "acpi_call"
      "i915"
      "kvm-intel"
      "uinput"
    ];
    # 5_10 breaks my touchpad/mouse buttons
    # https://bbs.archlinux.org/viewtopic.php?id=254885
    # maybe modprobe hid_rmi or i2c_i801
    # blacklistedKernelModules = [ "i2c_i801" ];
    extraModulePackages = with config.boot.kernelPackages; [ acpi_call ]; # pkgs.gitpkgs.linuxPackages_latest.hid-nintendo ];
    kernelParams = [ "intel_iommu=on" ];
    extraModprobeConfig = ''
      options i915 enable_fbc=1 enable_guc=3
    '';
    kernel.sysctl = {
      "kernel.nmi_watchdog" = 0;
      "fs.inotify.max_user_watches" = 524288;
      "vm.dirty_writeback_centisecs" = 1500;
    };
  };

  fileSystems = {
    "/" = {
      device = "none";
      fsType = "tmpfs";
      options = [
        "defaults"
        "size=6G"
        "mode=755"
        "noexec"
      ];
    };
    "/tmp" = {
      device = "/dev/mapper/btrfs-crypt";
      fsType = "btrfs";
      options = [
        "subvol=tmp"
        "noatime"
        "compress=zstd"
      ];
      neededForBoot = true;
    };
    "/persist" = {
      device = "/dev/mapper/btrfs-crypt";
      fsType = "btrfs";
      options = [
        "subvol=persist"
        "noatime"
        "compress=zstd"
        "noexec"
      ];
      neededForBoot = true;
    };
    "/nix" = {
      device = "/dev/mapper/btrfs-crypt";
      fsType = "btrfs";
      options = [
        "subvol=nix"
        "noatime"
        "compress=zstd"
      ];
      neededForBoot = true;
    };
    "/snapshots" = {
      device = "/dev/mapper/btrfs-crypt";
      fsType = "btrfs";
      options = [
        "subvol=snapshots"
        "noatime"
        "compress=zstd"
        "noexec"
      ];
      neededForBoot = false;
    };
    "/boot" = {
      device = "/dev/disk/by-uuid/546A-A3D1";
      fsType = "vfat";
      options = [
        "fmask=0022"
        "dmask=0022"
      ];
    };
  };

  hardware = {
    firmware = with pkgs; [ firmwareLinuxNonfree ];
    cpu.intel.updateMicrocode = true;
    enableAllFirmware = false;
    ksm.enable = true;
    graphics = {
      extraPackages = with pkgs; [ (intel-vaapi-driver.override { enableHybridCodec = true; }) ];
      extraPackages32 = with pkgs.pkgsi686Linux; [
        (intel-vaapi-driver.override { enableHybridCodec = true; })
      ];
    };

    pulseaudio = {
      enable = true;
      support32Bit = true;
      package = pkgs.pulseaudioFull;
      zeroconf.discovery.enable = false;
      extraClientConf = ''
        autospawn = no
      '';
    };

    bluetooth = {
      enable = true;
      powerOnBoot = true;
    };
  };

  powerManagement = {
    enable = true;
    cpuFreqGovernor = "powersave";
  };
  services = {
    upower.enable = true;
    xserver.videoDrivers = [ "intel" ];
  };
  environment.variables.LIBVA_DRIVER_NAME = "i915";
  time.timeZone = "Europe/Berlin";
}