{ inputs, ... }:
let
  username = "john";
  hostname = "john-pc-ubuntu";
  testTarget = "fded:fb16:653e:25da:be24:11ff:fea0:753f";
in
{
  flake.modules.homeManager."${hostname}" = { pkgs, config, ... }:
  let
    flakeDir = "${config.xdg.configHome}/home-manager/jsl-dendritic";
    certDir = "${config.home.homeDirectory}/.step/certs";
    CACert = "${certDir}/root_ca.crt";
    tlsKey = "${certDir}/key.pem";
    tlsCert = "${certDir}/cert.pem";
    mtlsCert = "${certDir}/mtls.pem";
  in
  {
    imports = with inputs.self.modules.homeManager; [
      rebuild
      john
      resticprofile
      sops
      docker
      desktop
      step-ssh-user
      mtls
    ];
    targets.genericLinux.enable = true;

    shell.program = "zsh";

    home.username = "${username}";
    home.homeDirectory = "/home/${username}";

    home.packages = with pkgs; [
      nixos-rebuild
      (writeShellScriptBin "test-push" ''
        nixos-rebuild switch --flake ${flakeDir}#janus --target-host root@${testTarget}
      '')
    ];

    mtls = {
      enable = true;
      subject = hostname;
      caURL = "https://janus.john-stream.com/";
      provisioner = "admin";
      san = [
        "${hostname}"
        "192.168.1.85"
        "spiffe://john-stream.com/ubuntu"
      ];
    };

    # TODO: Add host-specific settings here:
    # - sops secret for `restic_password/john_ubuntu`
    # - resticprofile profile definition
    # - zsh RESTIC* session variables

    # TODO: make this more restrictive, rather than allowing all unfree packages
    nixpkgs.config.allowUnfree = true;
    nixpkgs.config.permittedInsecurePackages = [ "openssl-1.1.1w" ];

    homeManagerFlakeDir = flakeDir;
    docker.enable = true;

    step-ssh-user = {
      enable = true;
      principals = ["root" "${username}" "appdaemon"];
      provisioner = "admin";
    };
    ssh = {
      certificates.enable = true;
      matchSets = {
        certs = true;
        appdaemon = true;
        homelab = true;
        dev = true;
      };
    };
    sops.secrets."restic_password/john_ubuntu" = {
      path = "${config.xdg.configHome}/resticprofile/password.txt";
    };
    programs.resticprofile = {
      enable= true;
      profiles = {
        default = {
          "inherit" = "base";
          repository = "rest:https://soteria.john-stream.com/john-ubuntu";
          cacert = "${CACert}";
          tls-client-cert = "${mtlsCert}";
          backup = {
            source = [
              "${config.xdg.userDirs.documents}"
              "/conf"
            ];
            schedule = "*-*-* *:15,30,45:00";
          };
        };
      };
    };
  };

  flake.homeConfigurations."${hostname}" = inputs.home-manager.lib.homeManagerConfiguration {
    pkgs = import inputs.nixpkgs { system = "x86_64-linux"; };
    modules = with inputs.self.modules; [
      homeManager."${hostname}"
    ];
  };
}