# credits to raf
{
  config,
  sources,
  lib,
  pkgs,
  ...
}:
let
  inherit (lib.attrsets) mapAttrsToList;
  inherit (lib.modules) mkForce;
in
{
  nix = {
    # Check that Nix can parse the generated nix.conf.
    checkConfig = true;

    # Check the nix.conf, parsing for any kind of error. When disabled, checks only for unknown settings.
    checkAllErrors = true;

    # fuck channels, no thanks
    channel.enable = mkForce false;

    # this is taken from sioodmy.
    # pin the registry to avoid downloading and evaling a new nixpkgs version every time
    # registry =
    #   lib.mapAttrs (_: v: {flake = v.outPath;}) sources
    #   // {system.flake = sources.nichts;};

    # Add inputs to the system's legacy channels
    # to make legacy nix commands consistent as well
    nixPath = mapAttrsToList (key: _: "${key}=flake:${key}") config.nix.registry;

    # Run the Nix daemon on lowest possible priority
    daemonCPUSchedPolicy = "idle";
    daemonIOSchedClass = "idle";
    daemonIOSchedPriority = 7;

    # Collect garbage
    # NOTE: I use nh for this.
    gc = {
      automatic = false;
      dates = "20:00";
      options = "--delete-older-than 7d";
      persistent = false;
    };

    # Automatically optimize nix store by removing hard links
    optimise = {
      automatic = true;
      dates = [ "21:00" ];
    };

    # NOTE:
    # Writes the settings to /etc/nix/nix.conf.
    # See `man nix.conf` for more detailed descriptions of these settings.
    settings = {
      # Tell nix to use the xdg spec for base directories
      # while transitioning, any state must be carried over
      # manually, as Nix won't do it for us.
      use-xdg-base-directories = true;

      # Automatically optimise symlinks
      auto-optimise-store = true;

      # Users that are allowed to connect to the Nix daemon.
      allowed-users = [
        "root"
        "@wheel"
        "nix-builder"
      ];

      # Users that are allowed to connect to the Nix daemon.
      trusted-users = [
        "root"
        "@wheel"
        "nix-builder"
      ];

      # Let the system decide the number of max jobs
      # based on available system specs. Usually this is
      # the same as the number of cores your CPU has.
      max-jobs = "auto";

      # This option defines the maximum number of concurrent tasks during one build.
      # It affects, e.g., -j option for make. The special value 0 means that the builder
      # should use all available CPU cores in the system. Some builds may become
      # non-deterministic with this option; use with care!
      # Packages will only be affected if enableParallelBuilding is set for them.
      cores = 0;

      # If set, Nix will perform builds in a sandboxed environment
      # that it will set up automatically for each build.
      # This prevents impurities in builds by disallowing access
      # to dependencies outside of the Nix store by using network
      # and mount namespaces in a chroot environment.
      sandbox = true;
      sandbox-fallback = false;

      # Continue building derivations even if one fails
      keep-going = true;

      # If we haven't received data for >= 20s, retry the download
      stalled-download-timeout = 20;

      # Show more logs when a build fails and decides to display
      # a bunch of lines. `nix log` would normally provide more
      # information, but this may save us some time and keystrokes.
      log-lines = 30;

      # Extra features of Nix that are considered unstable
      # and experimental. By default we should always include
      # `flakes` and `nix-command`, while others are usually
      # optional.
      extra-experimental-features = [
        "flakes" # flakes
        "nix-command" # experimental nix commands
        "cgroups" # allow nix to execute builds inside cgroups
        "pipe-operators"
      ];

      # Ensures that the result of Nix expressions is fully determined by
      # explicitly declared inputs, and not influenced by external state.
      # In other words, fully stateless evaluation by Nix at all times.
      pure-eval = false;

      # Don't warn me that my git tree is dirty, I know.
      warn-dirty = false;

      # Maximum number of parallel TCP connections
      # used to fetch imports and binary caches.
      # 0 means no limit, default is 25.
      http-connections = 50; # lower values fare better on slow connections

      # Whether to accept nix configuration from a flake
      # without displaying a Y/N prompt. For those obtuse
      # enough to keep this true, I wish the best of luck.
      # tl;dr: this is a security vulnerability.
      accept-flake-config = false;

      # Whether to execute builds inside cgroups. cgroups are
      # "a Linux kernel feature that limits, accounts for, and
      # isolates the resource usage (CPU, memory, disk I/O, etc.)
      # of a collection of processes."
      # See:
      # <https://en.wikipedia.org/wiki/Cgroups>
      use-cgroups = pkgs.stdenv.isLinux; # only supported on Linux

      # for direnv GC roots
      keep-derivations = true;
      keep-outputs = true;

      # Use binary cache
      builders-use-substitutes = true;

      # Substituters to pull from.
      substituters = [
        "https://cache.nixos.org"
      ];

      trusted-public-keys = [
        "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
      ];
      # Determinate nix config
      # ===========================================
      # lazy-trees = true;
      # ===========================================
    };
  };

  systemd.services = {
    # WE DONT WANT TO BUILD STUFF ON TMPFS
    # ITS NOT A GOOD IDEA
    nix-daemon = {
      environment.TMPDIR = "/var/tmp";
    };

    # Do not run garbage collection on AC power.
    # This makes for a quite nice difference in battery life.
    nix-gc = {
      unitConfig.ConditionACPower = true;
    };
  };
}