{
  pkgs,
  inputs,
  config,
  system,
  lib,
  ...
}:

with pkgs;
let
  unstable = inputs.nixos-unstable.legacyPackages.${system};
in
{

  schmittlauch.packages = {
    graphics = true;
    multimedia = true;
    nixHelpers = true;
    devTools = true;
    pythonTools = true;
  };

  home.packages = [
    wireshark # on NixOS systems enabled via system config
    _1password-cli
    # also TODO: color schemes nix-darwin
  ];

  # pinning theme is necessary until iTerm 3.5, because despite the dark terminal background, bat detects light mode and adapts theme
  programs.bat.config.theme = "Visual Studio Dark+";

  programs.ssh = {
    enable = true;
    # defaults in bottom match block "*"
    # TODO: common config for desktop as well
    # multiplexer, e.g. to avoid rate limiting on jumphost usage
    serverAliveInterval = 10;
    serverAliveCountMax = 2; # 2 strikes and you're out
    controlMaster = "auto";
    # not too long, due to the frequent keepalives
    controlPersist = "1h";
    # ssh host config
    matchBlocks = {

      # early catchall to enforce agent socket usage. **NOT** the place for fallback defaults.
      "*" = {
        extraOptions = {
          IdentityAgent = "\"~/Library/Group Containers/2BUA8C4S2C.com.1password/t/agent.sock\"";
        };
      };

      "hydra01" = lib.hm.dag.entryAfter [ "*" ] {
        hostname = "hydra01.access.whq.gocept.net";
        user = "os";
      };
      "fcio-whq-jump" = lib.hm.dag.entryAfter [ "*" ] {
        hostname = "vpn-whq.services.fcio.net";
        extraOptions = {
          LogLevel = "Verbose";
          AddressFamily = "inet";
        };

      };
      "fcio-rzob-jump" = lib.hm.dag.entryAfter [ "*" ] {
        hostname = "vpn-rzob.services.fcio.net";
        extraOptions = {
          LogLevel = "Verbose";
          AddressFamily = "inet";
        };

      };
    };
  };

  programs.git =
    let
      contacts = import "${inputs.mysecrets}/contacts.nix" { inherit lib; };
    in
    {
      includes = [
        {
          condition = "gitdir:~/src/schmittlauch/";
          contents = {
            user = {
              inherit (contacts.schmittlauch) name email;
            };
          };
        }
      ]
      # set default name for several other common locations
      ++ map (dir: {
        condition = "gitdir:${dir}";
        contents = {
          user = {
            inherit (contacts.work) name email;
          };
        };
      }) [ "~/" ];
    };

  # some extra shell scripts
  programs.zsh.initContent = lib.mkAfter (
    import ./scripts/reporsync.nix { inherit pkgs lib; }
    + import ./scripts/ssh-loop-fc.nix { inherit pkgs lib; }
  );

  # separate proxied browser using the DHCP-supplied DNS for accessing captive portals
  programs.captive-browser = {
    enable = true;
    interface = "en0";
  };
  launchd.agents.hydra_proxy = {
    enable = true;
    config = {
      ProgramArguments = [
        "${lib.getExe pkgs.autossh}"
        "-M"
        "0"
        "-D"
        "1080"
        "-oServerAliveInterval=30"
        "-oControlMaster=no"
        "-N"
        "vpn-whq.services.fcio.net"
      ];
      # TODO: consider socket activation instead
      KeepAlive = true;
      ThrottleInterval = 60;
    };
  };
  nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [ "1password-cli" ];

  home.stateVersion = "22.05";
}