{ self, inputs, ... }:
let
  username = "john";
  hostname = "john-pc-ubuntu";

  # testTarget = "fded:fb16:653e:25da:be24:11ff:fe89:1cc3"; # soteria
  # testTarget = "fded:fb16:653e:25da:be24:11ff:fea0:753f"; # test-nix
  testHost = "soteria"; # which host to test build
  testTarget = "test-nix";

in
{
  flake.modules.homeManager."${hostname}" = { config, pkgs, lib, ... }:
  let
    selfPkgs = inputs.self.packages.${pkgs.stdenv.hostPlatform.system};
    resticPasswordFile = "${config.xdg.configHome}/restic/password.txt";
    flakeDir = "${config.xdg.configHome}/home-manager/jsl-dendritic";
    test-push = with pkgs; writeShellApplication {
      name = "test-push";
      runtimeInputs = [ nh ];
      text = ''nh os switch ${flakeDir}#${testHost} --target-host root@${testTarget} -e none'';
    };
  in
  {
    imports = with inputs.self.modules.homeManager; [
      rebuild
      john
      mysops
      janus-ca
      step-ssh-user
      mtls
      restic
      docker
      desktop
    ];
    # TODO: make this more restrictive, rather than allowing all unfree packages
    nixpkgs.config.allowUnfree = true;
    nixpkgs.config.permittedInsecurePackages = [ "openssl-1.1.1w" ];

    targets.genericLinux.enable = true;

    home.username = "${username}";
    home.homeDirectory = "/home/${username}";
    home.packages = with pkgs; [
      nixos-rebuild
      test-push
      selfPkgs.neovim-min
      # ${selfPkgs}.my-neovim
      selfPkgs.richPrinter
      selfPkgs.janus-ca
    ];

    shell.program = "zsh";
  
    homeManagerFlakeDir = flakeDir;
    docker.enable = true;

    step-ssh-user = {
      enable = true;
      principals = ["root" "${username}" "appdaemon"];
      provisioner = "admin";
    };
    ssh = {
      certificates.enable = true;
      knownHosts = [
        "fded:fb16:653e:25da:be24:11ff:fea0:753f ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ9ZqiWPrCwHjxFCiu0lT4rlQs7KyMapxKJQQ5PJP1eh"
      ];
      matchSets = {
        certs = true;
        appdaemon = true;
        homelab = true;
        dev = true;
      };
    };

    # This provides the keys at build time and will be included in the nix store
    sops.defaultSopsFile = ../../../keys/secrets.yaml;

    # This will provide the edit-secrets script targeting this file
    mysops.hostSecretFile = "${config.xdg.configHome}/home-manager/jsl-dendritic/keys/secrets.yaml";

    sops.secrets."restic_password" = {
      path = resticPasswordFile;
      mode = "0400";
      sopsFile = ./secrets.yaml;
    };
    restic = {
      passwordFile = resticPasswordFile;
      OnCalendar = "*:0/15";
      paths = [ "${config.xdg.userDirs.documents}" "/conf" ];
      exclude = [
        "/home/*/Pictures"
        "/home/*/Videos"
        "/home/*/go"
        "/home/*/snap"
        "/home/john/john-nas"
      ];
    };
    mtls = {
      enable = true;
      subject = hostname;
      san = [
        "${hostname}"
        "192.168.1.85"
        "spiffe://john-stream.com/ubuntu"
      ];
      lifetime = "1h";
      renew.onCalendar = "*:1/10";
    };
  };

  flake.homeConfigurations."${hostname}" = inputs.home-manager.lib.homeManagerConfiguration {
    pkgs = import inputs.nixpkgs { system = "x86_64-linux"; };
    modules = with inputs.self.modules; [
      homeManager."${hostname}"
    ];
  };
}