{
  tree,
  config,
  pkgs,
  ...
}: let
  secrets = config.services.secrets.secrets;
in {
  imports = with tree; [
    users.root

    profiles.base
    profiles.sshd
    profiles.nix-gc

    ./hardware.nix
    ./networking.nix
    ./secrets.nix
  ];

  environment.etc."mdadm.conf".text = ''
    HOMEHOST <ignore>
    PROGRAM /run/current-system/sw/bin/mdadm-notify
  '';

  # some taken from https://github.com/hunleyd/mdadm_notify/blob/master/mdadm_notify
  environment.systemPackages = [
    (pkgs.writeShellScriptBin "mdadm-notify" ''
      event=$1
      md_device=$2
      device=$3

      case $event in
        DegradedArray)
          msg="$md_device is running in DEGRADED MODE"
          ;;
        DeviceDisappeared)
          msg="$md_device has DISAPPEARED"
          ;;
        Fail)
          msg="$md_device had an ACTIVE component FAIL ($device)"
          ;;
        FailSpare)
          msg="$md_device had a SPARE component FAIL during rebuild ($device)"
          ;;
        MoveSpare)
          msg="SPARE device $device has been MOVED to a new array ($md_device)"
          ;;
        NewArray)
          # silence NewArray
          exit 0
          msg="$md_device has APPEARED"
          ;;
        Rebuild??)
          msg="$md_device REBUILD is now `echo $event|sed 's/Rebuild//'`% complete"
          ;;
        RebuildFinished)
          msg="REBUILD of $md_device is COMPLETE or ABORTED"
          ;;
        RebuildStarted)
          msg="RECONSTRUCTION of $md_device has STARTED"
          ;;
        SpareActive)
          msg="$device has become an ACTIVE COMPONENT of $md_device"
          ;;
        SparesMissing)
          msg="$md_device is MISSING one or more SPARE devices"
          ;;
        TestMessage)
          msg="TEST MESSAGE generated for $md_device"
          ;;
      esac

      printf "Subject: BuildBox mdadm: $event\n\n$msg" | msmtp "all@owo.monster"
    '')
  ];

  programs.msmtp = {
    enable = true;
    accounts = {
      default = {
        auth = true;
        tls = true;
        protocol = "smtp";
        host = "mail.owo.monster";
        port = 587;
        from = "system@owo.monster";
        user = "system@owo.monster";
        passwordeval = "cat ${secrets.system_mail_password.path}";
      };
    };
  };

  systemd.services.mdmonitor = {
    requires = ["network.target"];
    wantedBy = ["multi-user.target"];
    path = with pkgs; [mdadm msmtp];
    script = ''
      exec mdadm --monitor --scan
    '';
    serviceConfig = {
      Restart = "always";
      StartLimitAction = "none";
    };
  };

  home-manager.users.root = {
    imports = with tree; [home.base home.dev.small];
    home.stateVersion = "22.05";
  };

  networking.hostName = "buildbox";
  time.timeZone = "Europe/London";

  system.stateVersion = "22.05";
}