{
  config,
  pkgs,
  inputs,
  lib,
  nixpkgs-nixos-unstable-and-unfree,
  ...
}: let
  system_cert_bundle_path = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
  form3_cert_path = ./form3-palo-alto.pem;
  form3_cert_bundle =
    builtins.toFile "form3-cert-bundle.crt"
    (builtins.readFile system_cert_bundle_path
      + builtins.readFile form3_cert_path);
in {
  environment.systemPackages = with pkgs; [vim nixfmt];

  imports = [../../git ../../mercurial];
  services.nix-daemon.enable = true;
  nix = {
    useDaemon = true;
    gc.automatic = true;
    package = pkgs.nixUnstable;
    extraOptions = ''
      experimental-features = nix-command flakes
    '';
  };

  fonts.fontDir.enable = true;

  fonts.fonts = with pkgs; [
    nerdfonts
    fira-code
    font-awesome
    material-icons
    powerline-fonts
    source-code-pro
    weather-icons
  ];
  security.pki.certificateFiles = [form3_cert_path system_cert_bundle_path];
  environment.variables = {
    SSL_CERT_FILE = form3_cert_bundle;
    NIX_SSL_CERT_FILE = form3_cert_bundle;
    BUNDLE_SSL_CA_CERT = form3_cert_bundle;
    CARGO_NET_GIT_FETCH_WITH_CLI = "true";
  };
  programs.zsh.enable = true;

  system.stateVersion = 4;

  home-manager.users.cyryl = {...}: {
    imports = [];
    home.packages = with pkgs; [awscli kubectl cargo-update];
    programs = {
      git.userEmail = lib.mkForce "cyryl.plotnicki@form3.tech";
      git.extraConfig = {
        user.signingkey = "6441B1BC81F8FB1561C9AFF5534222210FE423ED";
        commit.gpgsign = true;
        "url \"git@github.com:\"".insteadOf = "https://github.com/";
      };
      gpg.enable = true;
      gpg.homedir = "/Users/cyryl/.gnupg";
      zsh.loginExtra = ''
        eval "$(/opt/homebrew/bin/brew shellenv)"
      '';
    };
  };
}