{
  pkgs,
  inputs,
  config,
  lib,
  ...
}:

with pkgs;
let
  unstable = inputs.nixos-unstable.legacyPackages.${pkgs.stdenv.hostPlatform.system};
in
{
  imports = [ ./modules/llm.nix ];

  schmittlauch.packages = {
    graphics = true;
    multimedia = true;
    nixHelpers = true;
    devTools = true;
    pythonTools = true;
  };
  targets.darwin = {
    linkApps.enable = false; # spotlight ignores symlinks
    copyApps.enable = true;
  };

  home.packages = [
    wireshark # on NixOS systems enabled via system config
    _1password-cli
    rectangle
    # also TODO: color schemes nix-darwin
  ];

  # pinning theme is necessary until iTerm 3.5, because despite the dark terminal background, bat detects light mode and adapts theme
  programs.bat.config.theme = "Visual Studio Dark+";

  programs.ssh = {
    enable = true;
    # early catchall to enforce agent socket usage. **NOT** the place for fallback defaults.
    extraOptionOverrides = {
      IdentityAgent = "\"~/Library/Group Containers/2BUA8C4S2C.com.1password/t/agent.sock\"";
      CanonicalDomains = "fcio.net gocept.net";
    };

    multi-proxy.tags = {
      # XXX genAttrs oder listToAttrs mit rzob/WHQ

      # Connect to hosts directly, or if that fails (e.g. IPv4-only network)
      # use the bastion host as a jump host.
      "direct-rzob" = {
        after = [ "*.fcio.net *.gocept.net" ];
        jumpHost = "vpn-rzob.services.fcio.net";
        connectType = [
          "master"
          "direct"
        ];
      };

      "direct-whq" = {
        after = [ "*.fcio.net *.gocept.net" ];
        jumpHost = "vpn-whq.services.fcio.net";
        connectType = [
          "master"
          "direct"
        ];
      };

      "proxyjump-whq" = {
        after = [ "tagged-direct-whq" ]; # XXX readOnly backref option
        jumpHost = "kenny12.fe.whq.fcio.net";
        connectType = [ "all" ];
        noDirect = true;
      };
      "proxyjump-rzob" = {
        after = [ "tagged-direct-rzob" ]; # XXX readOnly backref option
        jumpHost = "kenny09.fe.whq.fcio.net";
        connectType = [ "all" ];
        noDirect = true;
      };
    };
    # ssh host config
    matchBlocks = {
      # --- Host blocks (order matters: specific before wildcard) --------

      # Hosts are only accessible via bastion host
      #"switch1.example.com switch2.example.com" =
      #  lib.hm.dag.entryBefore [ "*.example.com" ] {
      #    extraOptions = {
      #      Tag = "proxyjump";
      #    };
      #  };

      # TODO: these site-specific information are currently also publicly available elsewhere, so having them here in plain is fine.
      # For adding more topology-related specific rules, consider moving this into secrets like SOPS or so.

      # Hostname wildcard for management network, also accessed via bastion host
      "*.mgm.whq.fcio.net *.mgm.whq.gocept.net" = lib.hm.dag.entryBefore [ "*.fcio.net *.gocept.net" ] {
        extraOptions = {
          Tag = "proxyjump-whq";
        };
      };

      "*.mgm.rzob.fcio.net *.mgm.rzob.gocept.net" = lib.hm.dag.entryBefore [ "*.fcio.net *.gocept.net" ] {
        extraOptions = {
          Tag = "proxyjump-rzob";
        };
      };

      # Fallback for all other FCIO hosts
      "*.fcio.net *.gocept.net" = {
        extraOptions = {
          Tag = "direct-rzob";
        };
      };

      "hydra01" = {
        hostname = "hydra01.access.whq.gocept.net";
        user = "os";
      };
      "fcio-whq-jump" = lib.hm.dag.entryAfter [ "*" ] {
        hostname = "vpn-whq.services.fcio.net";
        extraOptions = {
          LogLevel = "Verbose";
          AddressFamily = "inet";
          ControlMaster = "auto";
          # not too long, due to the frequent keepalives
          ControlPersist = "1h";
        };

      };
      "fcio-rzob-jump" = {
        # multiplexer, e.g. to avoid rate limiting on jumphost usage
        hostname = "vpn-rzob.services.fcio.net";
        extraOptions = {
          LogLevel = "Verbose";
          AddressFamily = "inet";
          ControlMaster = "auto";
          # not too long, due to the frequent keepalives
          ControlPersist = "1h";
        };

      };
    };
  };

  programs.git =
    let
      contacts = import "${inputs.mysecrets}/contacts.nix" { inherit lib; };
    in
    {
      includes = [
        {
          condition = "gitdir:~/src/schmittlauch/";
          contents = {
            user = {
              inherit (contacts.schmittlauch) name email;
            };
          };
        }
      ]
      # set default name for several other common locations
      ++ map (dir: {
        condition = "gitdir:${dir}";
        contents = {
          user = {
            inherit (contacts.work) name email;
          };
        };
      }) [ "~/" ];
    };

  # some extra shell scripts
  programs.zsh.initContent = lib.mkAfter (
    import ./scripts/reporsync.nix { inherit pkgs lib; }
    + import ./scripts/ssh-loop-fc.nix { inherit pkgs lib; }
  );

  # separate proxied browser using the DHCP-supplied DNS for accessing captive portals
  programs.captive-browser = {
    enable = true;
    interface = "en0";
  };
  launchd.agents.hydra_proxy = {
    enable = true;
    config = {
      ProgramArguments = [
        "${lib.getExe pkgs.autossh}"
        "-M"
        "0"
        "-D"
        "1080"
        "-oServerAliveInterval=30"
        "-oControlMaster=no"
        "-N"
        "vpn-whq.services.fcio.net"
      ];
      # TODO: consider socket activation instead
      KeepAlive = true;
      ThrottleInterval = 60;
    };
  };
  nixpkgs.config.allowUnfreePredicate =
    pkg:
    builtins.elem (lib.getName pkg) [
      "1password-cli"
      "claude-code"
    ]; # nixpkgs.config merging is unfortunately broken

  home.stateVersion = "22.05";
}