{ config, lib, pkgs, ... }:
let
  nixKey = "/var/lib/nix/binary-cache-key";
  # just using the filepath interacts poorly with typechecking under diverted stores
  toStore = path: pkgs.writeText (builtins.baseNameOf path) (builtins.readFile path);
in {
  # Use the systemd-boot EFI boot loader.
  boot.loader.systemd-boot.enable = true;
  boot.loader.systemd-boot.memtest86.enable = lib.mkIf (pkgs.hostPlatform.isx86) true;
  boot.loader.efi.canTouchEfiVariables = true;
  boot.loader.efi.efiSysMountPoint = "/boot";

  time.timeZone = "America/Phoenix";

  systemd.services.nix-key-setup = {
    description = "Generate a nix build signing key";
    script = ''
      test -f ${nixKey} && test -f ${nixKey}.pub && exit 0 || true
      mkdir -p "$(dirname "${nixKey}")"
      ${config.nix.package}/bin/nix-store --generate-binary-cache-key ${config.networking.hostName} ${nixKey} ${nixKey}.pub
    '';
    wantedBy = [ "multi-user.target" ];
  };

  console = {
    font = "Lat2-Terminus16";
    #keyMap = "us";
    useXkbConfig = true; # use xkb.options in tty.
  };

  environment.systemPackages = with pkgs; [
    strace
    rr
    qemu-user

    # language servers
    nil
    rust-analyzer
    lua-language-server
    clang-tools
    bash-language-server
    pyright
    csharp-ls
    gopls
    typescript-language-server
    #ocamllsp

    pre-commit
  ];

  programs = {
    virt-manager.enable = true;
    nix-ld.enable = true;
  };

  services.zfs.zed = {
    settings = {
      PATH = lib.mkForce (lib.makeBinPath [
        config.boot.zfs.package
        pkgs.coreutils
        pkgs.curl
        pkgs.gawk
        pkgs.gnugrep
        pkgs.gnused
        pkgs.nettools
        pkgs.util-linux

        pkgs.systemd
      ]);

      ZED_USE_DBUS = "1";
    };
  };

  security.pam.u2f = {
    enable = true;
    settings.authfile = toStore ./dotfiles/u2f-keys;
    settings.cue = true;
  };

  services.fwupd.enable = true;
  services.hardware.bolt.enable = true;
}