{ config, pkgs, lib, inputs, ... }:
{
  imports = [
    #../nixos/profiles/debug.nix
    ../nixos/profiles/lang-fr.nix
    #../nixos/profiles/tor.nix
    aubergine/hardware.nix
    aubergine/networking.nix
    aubergine/nginx.nix
    aubergine/backup.nix
  ];

  # Lower kernel's security for better performances
  boot.kernelParams = [ "mitigations=off" ];

  home-manager.users.julm = {
    imports = [ ../homes/julm.nix ];
  };
  systemd.services.home-manager-julm.postStart = ''
    ${pkgs.nix}/bin/nix-env --delete-generations +1 --profile /nix/var/nix/profiles/per-user/julm/home-manager
  '';
  users.users.julm = {
    isNormalUser = true;
    uid = 1000;
    # Put the hashedPassword in /nix/store, but it will also be in /etc/passwd
    # which is already world readable.
    # printf %s $(mkpasswd -m md5crypt)
    hashedPassword = lib.readFile aubergine/users/julm/login/hashedPassword.clear;
    extraGroups = [
      "adbusers"
      "dialout"
      "networkmanager"
      "tor"
      "wheel"
    ];
    # If created, zfs-mount.service would require:
    # zfs set overlay=yes ${hostName}/home
    createHome = true;
    openssh.authorizedKeys.keys = map lib.readFile [
      ../users/root/ssh/losurdo.pub
      ../users/julm/ssh/losurdo.pub
      ../users/julm/ssh/oignon.pub
      ../users/julm/ssh/redmi.pub
    ];
  };
  users.users.root = {
    hashedPassword = "!";
    openssh.authorizedKeys.keys =
      config.users.users.julm.openssh.authorizedKeys.keys;
  };

  #systemd.services.nix-daemon.serviceConfig.LoadCredentialEncrypted =
  #  "secret-key-files:" + aubergine/nix/secret-key-files;
  nix = {
    extraOptions = ''
      #secret-key-files = /run/credentials/nix-daemon.service/secret-key-files.pem
    '';
    settings = {
      trusted-users = [ config.users.users."julm".name ];
      substituters = [
        #"http://nix-localcache.losurdo.wg"
        #"ssh://nix-ssh@losurdo.wg?priority=30"
        #"ssh://nix-ssh@oignon.wg?priority=30"
      ];
      trusted-public-keys = map lib.readFile [
        ../users/root/nix/oignon.pub
      ];
    };
    nixPath = lib.mkForce [ "nixpkgs=${inputs.nixpkgs}" ];
  };
  #environment.etc."nixpkgs".source = pkgs.path;
  #environment.etc."nixpkgs-overlays".source = inputs.self + "/nixpkgs";

  nix.settings.allowed-users = [ config.users.users."nix-ssh".name ];
  nix.sshServe = {
    enable = true;
    keys = map lib.readFile [
      ../users/julm/ssh/losurdo.pub
      ../users/sevy/ssh/patate.pub
      ../users/julm/ssh/oignon.pub
    ];
  };

  environment.systemPackages = [
  ];

  boot.extraModulePackages = [
    #config.boot.kernelPackages.v4l2loopback
  ];

  # This value determines the NixOS release with which your system is to be
  # compatible, in order to avoid breaking some software such as database
  # servers. You should change this only after NixOS release notes say you should.
  system.stateVersion = "22.11"; # Did you read the comment?
}