{ lib, config, pkgs, ... }:
{
  krebs.build.host = config.krebs.hosts.vbob;
  makefu.awesome.modkey = "Mod1";
  imports =
    [
      <stockholm/makefu>
      {
        imports = [<stockholm/makefu/2configs/fs/single-partition-ext4.nix> ];
        boot.loader.grub.device = "/dev/sda";
      }
      # <stockholm/makefu/2configs/hw/vbox-guest.nix>
      # <nixpkgs/nixos/modules/virtualisation/qemu-vm.nix>

      # base gui
      # <stockholm/makefu/2configs/main-laptop.nix>
      # <stockholm/makefu/2configs/tools/core-gui.nix>

      <stockholm/makefu/2configs/zsh-user.nix>

      # security
      <stockholm/makefu/2configs/sshd-totp.nix>

      # Tools
      <stockholm/makefu/2configs/tools/core.nix>
      <stockholm/makefu/2configs/tools/dev.nix>
      # <stockholm/makefu/2configs/tools/extra-gui.nix>
      # <stockholm/makefu/2configs/tools/sec.nix>

      # environment
      <stockholm/makefu/2configs/tinc/retiolum.nix>
      (let
        gum-ip = config.krebs.hosts.gum.nets.internet.ip4.addr;
        gateway = "10.0.2.2";
      in {
        # make sure the route to gum gets added after the network is online
        systemd.services.wireguard-wg0.after = [ "network-online.target" ];
        networking.wireguard.interfaces.wg0 = {
          ips = [ "10.244.0.3/24" ];
          privateKeyFile = (toString <secrets>) + "/wireguard.key";
          # explicit route via eth0 to gum
          preSetup = ["${pkgs.iproute}/bin/ip route add ${gum-ip} via ${gateway}"];
          peers = [
          { # gum
            endpoint = "${gum-ip}:51820";
            allowedIPs = [ "0.0.0.0/0" "10.244.0.0/24" ];
            publicKey = "yAKvxTvcEVdn+MeKsmptZkR3XSEue+wSyLxwcjBYxxo=";
            persistentKeepalive = 25;
          }
          ];
        };
      })

    ];
  networking.extraHosts = import (toString <secrets/extra-hosts.nix>);

  # allow vbob to deploy self
  users.extraUsers.root.openssh.authorizedKeys.keys = [ config.krebs.users.makefu-vbob.pubkey  ];

  environment.shellAliases = {
    forti  = "cat ~/vpn/pw.txt | xclip; sudo forticlientsslvpn";
  };

  system.activationScripts.prepare-fortclientvpnssl = ''
    # TODO: for forticlientsslpn
    mkdir -p /usr/{s,}bin
    ln -fs ${pkgs.ppp}/bin/pppd /usr/sbin/pppd
    ln -fs ${pkgs.coreutils}/bin/tail /usr/bin/tail
  '';

  # for forticlient
  nixpkgs.config.allowUnfree = true;

  environment.systemPackages = with pkgs;[
    fortclientsslvpn ppp xclip
    get
    logstash
    #devpi-web
    #devpi-client
    ansible
  ];


  networking.firewall.allowedTCPPorts = [
    25
    80
    8010
  ];
  # required for qemu
  systemd.services."serial-getty@ttyS0".enable = true;
}