{ config, lib, pkgs, ... }:
{
  services.home-assistant = {
    enable = true;
    configDir = "/var/lib/hass/hass";

    # disables config generation, i don't wanna configure home assistant
    # through nix at the moment
    config = null;

    extraComponents = [
      "esphome"
      "met"
      "radio_browser"
    ];

    extraPackages = python3Packages: with python3Packages; [
      getmac
      aiohue
      numpy
      aiodhcpwatcher
      async-upnp-client
      gtts
      numpy
      plexapi
      pyipp
      paho-mqtt
      pyturbojpeg
    ];
  };

  # configures the config directory to be mounted
  # correctly with the right permissions
  systemd.services.hass-permissions = {
    wantedBy = [ "multi-user.target" ];
    after = [ "var-lib-hass.mount" ];
    requires = [ "var-lib-hass.mount" ];
    before = [ "home-assistant.service" ];
    serviceConfig = {
      Type = "oneshot";
      ExecStart = "${pkgs.bash}/bin/bash -c 'mkdir -p /var/lib/hass/hass && chown hass:hass /var/lib/hass/hass'";
      RemainAfterExit = true;
    };
  };

  networking = {
    nftables.enable = true;

    firewall = {
      enable = true;
      allowedTCPPorts = [
        8123
      ];
    };
  };

  users.users.nixos = {
    isNormalUser = true;
    uid = 1000;
    extraGroups = ["wheel"];

    hashedPassword = "$2b$05$94fPE/15g7ix7glKOaN0AeVMpitMivtQtcFL.aZIouQngOJ6nGMSC";
  };

  system.stateVersion = "25.11";
}