{
  pkgs,
  inputs,
  config,
  system,
  lib,
  ...
}:

with pkgs;
let
  unstable = inputs.nixos-unstable.legacyPackages.${system};
in
{

  schmittlauch.packages = {
    graphics = true;
    multimedia = true;
    nixHelpers = true;
    devTools = true;
    pythonTools = true;
  };

  home.packages = [
    wireshark # on NixOS systems enabled via system config
    _1password-cli
    # also TODO: color schemes nix-darwin
  ];

  # pinning theme is necessary until iTerm 3.5, because despite the dark terminal background, bat detects light mode and adapts theme
  programs.bat.config.theme = "Visual Studio Dark+";

  programs.ssh = {
    enable = true;
    # defaults in bottom match block "*"
    # TODO: common config for desktop as well
    # multiplexer, e.g. to avoid rate limiting on jumphost usage
    serverAliveInterval = 60;
    controlMaster = "auto";
    controlPersist = "4h";
    # ssh host config
    matchBlocks = {

      # early catchall to enforce agent socket usage. **NOT** the place for fallback defaults.
      "*" = {
        extraOptions = {
          IdentityAgent = "\"~/Library/Group Containers/2BUA8C4S2C.com.1password/t/agent.sock\"";
          #ControlPath = "/tmp/ssh_mux_%h_%p_%r";
        };
      };

      "hydra01" = lib.hm.dag.entryAfter [ "*" ] {
        hostname = "hydra01.access.whq.gocept.net";
        user = "os";
      };
      "fcio-whq-jump" = lib.hm.dag.entryAfter [ "*" ] {
        hostname = "vpn-whq.services.fcio.net";
        extraOptions.LogLevel = "Verbose";
      };
      "fcio-rzob-jump" = lib.hm.dag.entryAfter [ "*" ] { hostname = "vpn-rzob.services.fcio.net"; };
    };
  };

  programs.git =
    let
      contacts = import "${inputs.mysecrets}/contacts.nix" { inherit lib; };
    in
    {
      includes =
        [
          {
            condition = "gitdir:~/src/schmittlauch/";
            contents = {
              user = {
                inherit (contacts.schmittlauch) name email;
              };
            };
          }
        ]
        # set default name for several other common locations
        ++ map (dir: {
          condition = "gitdir:${dir}";
          contents = {
            user = {
              inherit (contacts.work) name email;
            };
          };
        }) [ "~/" ];
    };

  # some extra shell scripts
  programs.zsh.initExtra = lib.mkAfter (
    import ./scripts/reporsync.nix { inherit pkgs lib; }
    + import ./scripts/ssh-loop-fc.nix { inherit pkgs lib; }
  );

  launchd.agents.hydra_proxy = {
    enable = true;
    config = {
      ProgramArguments = [
        "${lib.getExe pkgs.autossh}"
        "-M"
        "0"
        "-D"
        "1080"
        "-oServerAliveInterval=60"
        "-oControlMaster=no"
        "-N"
        "vpn-whq.services.fcio.net"
      ];
      # TODO: consider socket activation instead
      KeepAlive = true;
      ThrottleInterval = 60;
    };
  };
  nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [ "1password-cli" ];

  home.stateVersion = "22.05";
}