{ self, inputs, ... }: {

  flake.nixosModules.t2mbpConfiguration =
    { self, config, pkgs, ... }:
    {
      imports = [
        self.nixosModules.t2mbpHardware
        self.nixosModules.t2linux
        inputs.t2fanrd.nixosModules.t2fanrd
        inputs.home-manager.nixosModules.home-manager
        inputs.sops-nix.nixosModules.sops

        self.nixosModules.system
        self.nixosModules.desktop
        self.nixosModules.users

        self.nixosModules."client-services"
        ./_private/platform.nix
        ./_private/firmware.nix
      ];

      # ───────────────────────────── Sops (see repo secrets/.sops.yaml) ───────────
      sops = {
        defaultSopsFile = ../../../secrets/secrets.yaml;
        defaultSopsFormat = "yaml";
        age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
      };

      sops.secrets."caching/attic/token" = {
        owner = "olivier";
        group = "users";
        mode = "0400";
      };

      sops.secrets."users/olivier/hashedPassword".neededForUsers = true;
      sops.secrets."swiftshare/API_KEY" = {
        owner = "olivier";
        group = "users";
        mode = "0400";
      };

      chiasson.system.librepods.enable = true;
      chiasson.system.palera1n.enable = true;

      # T2 SMC fans: without a daemon they sit near minimum while thermald only throttles CPU —
      # https://wiki.t2linux.org/guides/fan/
      services.t2fanrd = {
        enable = true;
        # Upstream averages 50 samples (~5s); peak tracks spikes so fans hit sysfs max sooner
        # under bursty browser/GPU load (see patches/t2fanrd-use-peak-temperature.patch).
        package = inputs.t2fanrd.packages.x86_64-linux.default.overrideAttrs (old: {
          patches = (old.patches or [ ]) ++ [ ../../../patches/t2fanrd-use-peak-temperature.patch ]; #TODO[epic=Moderate] Move patch file to host's directory.
        });
        config = {
          Fan1 = {
            low_temp = 40;
            high_temp = 65;
            speed_curve = "exponential";
            always_full_speed = false;
          };
          Fan2 = {
            low_temp = 40;
            high_temp = 65;
            speed_curve = "exponential";
            always_full_speed = false;
          };
        };
      };

      # Dynamic function row on the Touch Bar (`tiny-dfr`; needs `DRM_APPLETBDRM` — see t2linux kernel opts).
      hardware.apple.touchBar.enable = true;

      # ─────────────────────── Attic (pull + push + CLI token) ────────────────────
      chiasson.system.caching.attic = {
        enable = true;
        cacheName = "nixos-new";
        endpoint = "http://192.168.2.238:8080/";
        publicKey = "nixos-new:8NySIcT0HP7KvGQKgBRWoWESxxRA8BVYo8S85UNpNX0=";
        tokenFile = config.sops.secrets."caching/attic/token".path;
        push.enable = true;
        userCli.enable = true;
      };

      # ─────────────────────── Display Server & Desktop ──────────────────────────
      chiasson.desktop = {
        niri = {
          enable = true;
          # Hybrid T2 + `apple-gmux force_igd` + blacklisted amdgpu: a TB/DP encoder often stays
          # "connected" with junk EDID → niri sees a second head (`Unknown-1`, absurd mode). Off.
          extraSettings.extraConfig = ''
            output "Unknown-1" {
                off
            }
          '';
        };
        defaultSession = "niri";
        shell = "dms";
      };

      chiasson.system = {
        remoteDesktop = {
          enable = false;
          moonlight.enable = false;
          sunshine.enable = false;
        };
        audio.enable = true;
        extraPackages = [ pkgs.sops ];
        networking = {
          hostName = "t2mbp";
          networkManager.enable = true;
        };
      };

      chiasson.users.enabled = [ "olivier" ];

      chiasson.users.extraModules.olivier = [
        self.homeManagerModules.wisdomFilebrowsersDolphin
        self.homeManagerModules.wisdomTerminalsKitty
        self.homeManagerModules.wisdomBrowsersZen
        self.homeManagerModules.wisdomBrowsersChrome
        self.homeManagerModules.wisdomBrowsersEdge
        self.homeManagerModules.wisdomEditorsCursor
        self.homeManagerModules.wisdomEditorsKate
        self.homeManagerModules.wisdomEditorsObsidian
        self.homeManagerModules.wisdomShellYazi
        self.homeManagerModules.wisdomShellFish
        self.homeManagerModules.wisdomShellOhMyPosh
        self.homeManagerModules.wisdomAppsDiscord
        self.homeManagerModules.wisdomAppsSpotify
        self.homeManagerModules.wisdomAppsLocalsend
        self.homeManagerModules.wisdomAppsPokeclicker
        self.homeManagerModules.wisdomDesktopScreenshot
        {
          chiasson.home = {
            shell = {
              fish.enable = true;
              yazi.enable = true;
              ohMyPosh.enable = true;
            };
          
            terminals.kitty.enable = true;
            filebrowsers.dolphin.enable = true;
            browsers = {
             zen.enable = false;
              chrome.enable = false;
              edge.enable = true;
            };
            editors = {
              cursor.enable = true;
              kate.enable = false;
              obsidian.enable = true;
            };
            apps = {
              discord.enable = true;
              spotify.enable = false;
              localsend.enable = true;
              pokeclicker.enable = true;
            };
            desktop = {
              screenshot = {
                enable = true;
                swiftshareApiKeyFile = "/run/secrets/swiftshare/API_KEY"; #TODO[epic=sops] redo this by passing sops file output directly
              };
            };
          };
        }
      ];
    };

}