{ config, lib, pkgs, ... }:

# airgapped machine

let
  nixpkgs = builtins.fetchTarball (import ../nixpkgs.nix);
in {
  imports = [ ./users.nix ];

  security.sudo.enable = false;
  #security.pam.services."user".yubicoAuth = true;
  #security.pam.yubico.enable = true;
  #security.pam.yubico.control = "sufficient"; # pam.conf(5)
  #security.pam.yubico.mode = "challenge-response"; # ykpamcfg(1)
  #file."~/.yubico/authorized_yubikeys" = <list of keys>;

  # networking is disabled, but we still need a hostname
  networking.hostName = "oxygen";
  systemd.network.enable = false;

  time.timeZone = "America/New_York";

  environment.systemPackages = [
    pkgs.brightnessctl
  ];

  nixpkgs.config.allowUnfree = false;
  nixpkgs.config.allowBroken = false;

  programs.bash.enableCompletion = true;
  programs.command-not-found.enable = true;
  programs.light.enable = true;
  programs.gnupg.agent.enable = true;
  programs.gnupg.agent.enableSSHSupport = true;

  services.pcscd.enable = true;
  services.printing.enable = true;

  services.xserver.enable = true;
  services.xserver.autorun = true;
  services.xserver.layout = "us";
  services.xserver.libinput.enable = true;
  services.xserver.xkbOptions = "caps:ctrl_modifier";
  services.xserver.displayManager.lightdm.enable = true;
  services.xserver.windowManager.xmonad.enable = true;
  services.xserver.desktopManager.xterm.enable = true;

  # Use the systemd-boot EFI boot loader.
  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;
  boot.kernelParams = [
    # this probably breaks xserver, see https://superuser.com/a/1255015
    # "CONFIG_NET=n"
  ];

  powerManagement.enable = false;

  nix.nixPath = [
    "nixpkgs=${nixpkgs}"
    "nixos-config=/etc/nixos/configuration.nix"
    "/nix/var/nix/profiles/per-user/root/channels"
  ];
  nix.binaryCaches =  [ ];
  nix.extraOptions = ''
    keep-outputs = true
    keep-derivations = true
    builders-use-substitutes = true
  '';

  # This value determines the NixOS release with which your system is to be
  # compatible, in order to avoid breaking some software such as database
  # servers. You should change this only after NixOS release notes say you
  # should.
  system.stateVersion = "19.03"; # Did you read the comment?
  system.autoUpgrade.enable = false;
}