{
  config,
  lib,
  pkgs,
  ...
}:

{
  imports =
    lib.fileset.toList (lib.fileset.fileFilter (file: file.hasExt "nix") ../nixos/core)
    ++ lib.fileset.toList (lib.fileset.fileFilter (file: file.hasExt "nix") ../nixos/server)
    ++ [
      ./hardware.nix
      ./disk-config.nix
    ];

  sops = {
    defaultSopsFile = ../secrets/forest.yaml;
    age.keyFile = "/var/lib/sops-nix/forest.txt";
    secrets = {
      "passwords/root".neededForUsers = true;
      "passwords/monke".neededForUsers = true;
    };
  };

  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;
  boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
  boot.kexec.enable = true;

  networking.hostName = "forest";
  networking.hostId = "bca37001";
  networking.networkmanager.enable = true;

  time.timeZone = "Australia/Melbourne";

  console = {
    font = "Lat2-Terminus16";
    keyMap = lib.mkDefault "us";
    useXkbConfig = true;
  };

  services.xserver.xkb = {
    layout = "us";
    variant = "colemak_dh_ortho";
  };

  programs.zsh.enable = true;
  users.defaultUserShell = pkgs.zsh;
  users.users = {
    root.hashedPasswordFile = config.sops.secrets."passwords/root".path;
    monke = {
      isNormalUser = true;
      extraGroups = [
        "audio"
        "disk"
        "docker"
        "input"
        "lp"
        "plugdev"
        "render"
        "video"
        "wheel"
      ];
      hashedPasswordFile = config.sops.secrets."passwords/monke".path;
      openssh.authorizedKeys.keys = [
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICSgzkYEkUDfUWwS2fvPy7gVgjh0zRz4HphkjlUbUkF/ monke@bathtub"
        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDUk5RJWdyqqtA7Nh3aO0PYxtywJxRLLNvWO3FEg6WGc8PdxsHczlug5XBKYXonP9VzFcu427udb4DIEzhqsj7zUVRmeEmDAAyIFA8q36ZdMAmIhDp1oLpJVIgm1w/wiBtd8SPFBjZ1aYFCWLDz4kYroC/mhfwKRaXbJcG7b0B55ZHeJ4P/YpAZURX6+q9aNm61K5m0bnvtLoGx5OsQrsqMpmhlwahUdlQe5jbnq4DvwNh3W/u0+N/BABf1wdGW2l5yEBueWbr96DqxV9rFy60kt53l5Ce4RAhNp5bW5y830A7YoHWfq1cQam45LwCAVeDUsnKlYsXQkW6oVMomUJuxh0TmEOUBuA3jR7DM4rKMVPlCKOl54bwstawZR63lRkwNt9MARlbFDID+sUzJgmRLyayEDPqliymHu6mkBTUT9fAmmU6I3ohvVzR8tqy+45zSoQTtZBLZ+DQ//1sqoNgDOKl/DoCx4dFaGvfORpXbqKxmA43eF842hfC6icFeLHx8fGbzfUKAPvPn3aslJtD00j5FrX/LILBFcscY2bu11Hae3qk0W4F9dz5NfIeVh9VMikAr9kfvHzBf/7ayiwE4XxiZkdkxk6sYOzMm1Aw+hzYqpfzz32qRkOptWDgQ2gN20hyKU2IZ3rllYN9xCGWHmGUBBk53EH49e22ThnwGyw== monke@tundra"
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJjEyGfx4H3lyIhSs2Cc4GhfEQkl/oR4oUPAtpbMjohA"
      ];
    };
  };

  environment.systemPackages = with pkgs; [
    neovim
    curl
    git
    storcli
    smartmontools
    ffmpeg
  ];

  system.stateVersion = "25.11";
}