{
  config,
  lib,
  pkgs,
  modulesPath,
  ...
}: {
  imports = [
    (modulesPath + "/installer/scan/not-detected.nix")
  ];

  wireless.bluetooth.enable = true;

  services.logind = {
    lidSwitch = "ignore";
    powerKey = "suspend";
  };

  boot = {
    kernelModules = ["kvm-amd"];
    extraModulePackages = [];
    initrd = {
      systemd.enable = true; # needed for auto-unlocking with TPM
      availableKernelModules = ["xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod"];
      kernelModules = [
        "i915"
      ];
    };
  };
  boot.kernelParams = [
    # "mitigations=auto"
    # "spectre_v2=on"
    # "spectre_v2_user=on"
    # "spectre_bhi=on"
    # "spec_store_bypass_disable=on"
    # "tsx=off"
    # "kvm.nx_huge_pages=force"
    # "l1d_flush=on"
    "amd_iommu=force_isolation"
    "debugfs=off"
    "efi=disable_early_pci_dma"
    "gather_data_sampling=force"
    # "ia32_emulation=0"
    "intel_iommu=on"
    "iommu.passthrough=0"
    "iommu.strict=1"
    "iommu=force"
    "lockdown=confidentiality"
    "module.sig_enforce=1"
    "page_alloc.shuffle=1"
    "reg_file_data_sampling=on"
    "spec_rstack_overflow=safe-ret"
    "vsyscall=none"
  ];

  hardware.graphics = {
    enable = true;
    extraPackages = with pkgs; [
      intel-media-driver
      vaapiIntel
      vpl-gpu-rt
    ];
  };

  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}