{
  pkgs,
  lib,
  ...
}: {
  imports = [
    ./programs.nix
  ];

  nixpkgs.config.allowUnfreePredicate = let
    whitelist = with pkgs;
      map lib.getName [
        discord
        steam
        steamcmd
        steam-unwrapped

        winbox

        obsidian
        gitkraken
      ];
  in
    pkg: builtins.elem (lib.getName pkg) whitelist;

  boot.loader = {
    efi = {
      canTouchEfiVariables = true;
      efiSysMountPoint = "/boot/efi";
    };
    grub = {
      efiSupport = true;
      device = "nodev";
      # useOSProber = true;
    };
  };

  # Enable initrd hook for virtual console customisation
  # aka cool colours when bootting yay!!
  console = {
    enable = true;
    earlySetup = true; # initrd pre hook
    keyMap = "us";
    font = "Lat2-Terminus16";
    # ANSI 24-bit color definitions (theme: dracula)
    colors = [
      "21222c"
      "ff5555"
      "50fa7b"
      "f1fa8c"
      "bd93f9"
      "ff79c6"
      "8be9fd"
      "f8f8f2"
      "6272a4"
      "ff6e6e"
      "69ff94"
      "ffffa5"
      "d6acff"
      "ff92df"
      "a4ffff"
      "ffffff"
    ];
  };

  hardware = {
    graphics = {
      enable = true;
      enable32Bit = true;
    };

    bluetooth = {
      enable = true;
      powerOnBoot = true;
    };
  };

  virtualisation.docker.enable = true;

  services = {
    # systemd-resolved provides network name resolution
    # to local processes via a D-Bus interface.
    resolved = {
      enable = true;
      dnssec = "true";
      domains = ["~."];
      # Use CloudFlare's WARP+ 1.1.1.1 DNS service
      fallbackDns = [
        "1.1.1.1#one.one.one.one"
        "1.0.0.1#one.one.one.one"
      ];
      dnsovertls = "true";
    };

    # Multimedia Framework
    # With backwards compatability for alsa/pulseaudio/jack
    pipewire = {
      enable = true;
      audio.enable = true;
      wireplumber.enable = true;

      alsa.enable = true;
      alsa.support32Bit = true;
      pulse.enable = true;
      jack.enable = true;
    };
  };

  security = {
    rtkit.enable = true; # I *think* this is for pipewire
    sudo.wheelNeedsPassword = lib.mkDefault true;
  };

  # ---- ENVIRONMENT VARIABLES ----
  environment = {
    # always install "dev" derivation outputs
    extraOutputsToInstall = ["dev" "man"];

    sessionVariables = {
      # folder names with capitalisation look awful!
      XDG_DOWNLOAD_DIR = "$HOME/downloads";
    };
  };

  documentation = {
    enable = true;
    doc.enable = true; # install /share/doc packages
    man.enable = true; # install manpages
    info.enable = true; # install GNU info
    dev.enable = true; # install docs intended for developers
    nixos = {
      enable = true; # install NixOS documentation (ie man -k nix, & nixos-help)
      options.splitBuild = true;
      includeAllModules = false;
    };
  };
}