{
  pkgs,
  pkgs-unstable,
  inputs,
  lib,
  config,
  ...
}:
{
  hardware.bluetooth.enable = true;
  hardware.bluetooth.powerOnBoot = true;

  services.udev.packages = [
    pkgs.zsa-udev-rules
    pkgs-unstable.yubikey-personalization
    inputs.ksoloti-pr.legacyPackages.${pkgs.stdenv.hostPlatform.system}.ksoloti
  ];
  services.usbmuxd = {
    enable = true;
    package = pkgs.usbmuxd;
  };
  services.fwupd = {
    enable = true;
  };
  services.fprintd.enable = true;
  services.fstrim.enable = true;

  security.pam.services.login.fprintAuth = false;
  # similarly to how other distributions handle the fingerprinting login
  security.pam.services.gdm-fingerprint = lib.mkIf (config.services.fprintd.enable) {
    text = ''
      auth       required                    pam_shells.so
      auth       requisite                   pam_nologin.so
      auth       requisite                   pam_faillock.so      preauth
      auth       required                    ${pkgs.fprintd}/lib/security/pam_fprintd.so
      auth       optional                    pam_permit.so
      auth       required                    pam_env.so
      auth       [success=ok default=1]      ${pkgs.gdm}/lib/security/pam_gdm.so
      auth       optional                    ${pkgs.gnome-keyring}/lib/security/pam_gnome_keyring.so

      account    include                     login

      password   required                    pam_deny.so

      session    include                     login
      session    optional                    ${pkgs.gnome-keyring}/lib/security/pam_gnome_keyring.so auto_start
    '';
  };

  hardware.keyboard.zsa.enable = true;

  services.logind = {
    settings.Login = {
      IdleAction = "suspend";
      HandleLidSwitch = "suspend";
      HandlePowerKey = "suspend";
    };
  };

  powerManagement = {
    enable = true;
    powerDownCommands = "${pkgs.networkmanager}/bin/nmcli radio wifi off";
    powerUpCommands = "${pkgs.networkmanager}/bin/nmcli radio wifi on";
  };

  services.power-profiles-daemon.enable = true;
  hardware.amdgpu.opencl.enable = true;
  hardware.graphics = {
    enable = true;
    extraPackages = with pkgs; [ rocmPackages.clr.icd ];
  };
  services.resolved = {
    enable = true;
    dnsovertls = "opportunistic";
    dnssec = "allow-downgrade";
  };
  networking.networkmanager = {
    enable = true;
    wifi.backend = "iwd";
    dns = "systemd-resolved";
    plugins = with pkgs; [
      networkmanager-openvpn
    ];
  };
  security.tpm2.enable = true;

  services.nqptp.enable = true;
  networking.firewall.allowedTCPPortRanges = [
    {
      from = 7000;
      to = 7010;
    }
  ];
  networking.firewall.allowedUDPPorts = [ 5353 ];

  networking.wg-quick.interfaces = lib.mkMerge (
    lib.map
      (
        {
          region,
          ipOctet,
          publicKey,
        }:
        {
          "everii-${region}" = {
            address = [ "10.${toString ipOctet}.8.48/22" ];
            dns = [ "10.${toString ipOctet}.1.1" ];
            privateKeyFile = config.age.secrets."everii-vpn/${region}.key".path;
            peers = [
              {
                allowedIPs = [ "10.${toString ipOctet}.0.0/16" ];
                endpoint = "vpn.${region}.infra.everii.io:51821";
                inherit publicKey;
              }
            ];
            postUp = ''
              ${pkgs.systemd}/bin/resolvectl domain everii-${region} ~${region}.everii ~${toString ipOctet}.10.in-addr.arpa
              ${pkgs.systemd}/bin/resolvectl dnssec everii-${region} no
            '';
          };
        }
      )
      [
        {
          region = "de1";
          ipOctet = 13;
          publicKey = "uBUgSTZb6WbfE960S3qFP/UUMtdsgNWqtkTaBkp6Xxo=";
        }
        {
          region = "fi1";
          ipOctet = 14;
          publicKey = "Yoakl0lrL6IK1nT8x5SGpaS39fQxRAsP9Zjpu8/1RRs=";
        }
        {
          region = "ch1";
          ipOctet = 15;
          publicKey = "gfciqAk+X02zoEKXSvRamx5+TGL3i4GpT7oUvHMD0xo=";
        }
      ]
  );
}