{
  config,
  pkgs,
  inputs,
  lib,
  nixpkgs-nixos-unstable-and-unfree,
  ...
}: let
  system_cert_bundle_path = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
  form3_cert_path = ./form3-palo-alto.pem;
  form3_cert_bundle =
    builtins.toFile "form3-cert-bundle.crt"
    (builtins.readFile system_cert_bundle_path
      + builtins.readFile form3_cert_path);
in {
  environment.systemPackages = with pkgs; [vim nixfmt];

  imports = [../../git ../../mercurial];
  services.nix-daemon.enable = true;
  nix = {
    useDaemon = true;
    gc.automatic = true;
    package = pkgs.nixUnstable;
    extraOptions = ''
      experimental-features = nix-command flakes
    '';
  };

  fonts.fontDir.enable = true;

  fonts.fonts = with pkgs; [
    nerdfonts
    fira-code
    font-awesome
    material-icons
    powerline-fonts
    source-code-pro
    weather-icons
  ];
  security.pki.certificateFiles = [form3_cert_path system_cert_bundle_path];
  environment.variables = {
    SSL_CERT_FILE = form3_cert_bundle;
    NIX_SSL_CERT_FILE = form3_cert_bundle;
    BUNDLE_SSL_CA_CERT = form3_cert_bundle;
    CARGO_NET_GIT_FETCH_WITH_CLI = "true";
  };
  programs.zsh.enable = true;

  system.stateVersion = 4;

  home-manager.users.cyryl = {...}: {
    imports = [];
    home.packages = with pkgs; [awscli kubectl cargo-update];
    programs.git.userEmail = lib.mkForce "cyryl.plotnicki@form3.tech";
    programs.git.extraConfig = {
      user.signingkey = "6441B1BC81F8FB1561C9AFF5534222210FE423ED";
      commit.gpgsign = true;
      "url \"git@github.com:\"".insteadOf = "https://github.com/";
    };
    programs.gpg.enable = true;
    programs.gpg.homedir = "/Users/cyryl/.gnupg";
    programs.zsh.loginExtra = ''
      eval "$(/opt/homebrew/bin/brew shellenv)"
    '';
  };
}