{
  # cat ~/.ssh/id_rsa.pub
  publicSshKey ? ""
, # remote-install-get-hiddenReceiver
  hiddenReceiver ? ""
,
}:
{ config, lib, pkgs, ... }: {

  imports = [
    {
      # system setup
      networking.hostName = "liveos";

      users.extraUsers = {
        root = { openssh.authorizedKeys.keys = [ publicSshKey ]; };
      };
    }
    {
      # installed packages
      environment.systemPackages = with pkgs; [
        #style
        most
        rxvt_unicode.terminfo

        #monitoring tools
        htop
        iotop

        #network
        iptables
        iftop
        nmap

        #stuff for dl
        aria2

        #neat utils
        pciutils
        psmisc
        tmux
        usbutils
        git

        #unpack stuff
        p7zip
        unzip
        unrar

        #data recovery
        ddrescue
        ntfs3g
        dosfstools
      ];
    }
    {
      # bash configuration
      programs.bash = {
        enableCompletion = true;
        interactiveShellInit = ''
          HISTCONTROL='erasedups:ignorespace'
          HISTSIZE=65536
          HISTFILESIZE=$HISTSIZE

          shopt -s checkhash
          shopt -s histappend histreedit histverify
          shopt -s no_empty_cmd_completion
          complete -d cd
        '';
        promptInit = ''
          if test $UID = 0; then
            PS1='\[\033[1;31m\]\w\[\033[0m\] '
            PROMPT_COMMAND='echo -ne "\033]0;$$ $USER@$PWD\007"'
          elif test $UID = 1337; then
            PS1='\[\033[1;32m\]\w\[\033[0m\] '
            PROMPT_COMMAND='echo -ne "\033]0;$$ $PWD\007"'
          else
            PS1='\[\033[1;33m\]\u@\w\[\033[0m\] '
            PROMPT_COMMAND='echo -ne "\033]0;$$ $USER@$PWD\007"'
          fi
          if test -n "$SSH_CLIENT"; then
            PS1='\[\033[35m\]\h'" $PS1"
            PROMPT_COMMAND='echo -ne "\033]0;$$ $HOSTNAME $USER@$PWD\007"'
          fi
        '';
      };
    }
    {
      # ssh configuration
      services.openssh.enable = true;
      services.openssh.passwordAuthentication = false;
      systemd.services.sshd.wantedBy = lib.mkForce [ "multi-user.target" ];
    }
    {
      # hidden ssh announce
      config =
        let
          torDirectory = "/var/lib/tor";
          hiddenServiceDir = torDirectory + "/onion/hidden-ssh";
        in
        {
          services.tor = {
            enable = true;
            client.enable = true;
            relay.onionServices.hidden-ssh = {
              version = 3;
              map = [{
                port = 22;
                target.port = 22;
              }];
            };
          };
          systemd.services.hidden-ssh-announce = {
            description = "irc announce hidden ssh";
            after = [ "tor.service" "network-online.target" ];
            wants = [ "tor.service" ];
            wantedBy = [ "multi-user.target" ];
            serviceConfig = {
              ExecStart = pkgs.writers.writeDash "irc-announce-ssh" ''
                set -efu
                until test -e ${hiddenServiceDir}/hostname; do
                  echo "still waiting for ${hiddenServiceDir}/hostname"
                  sleep 1
                done
                until ${pkgs.tor}/bin/torify ${pkgs.netcat-openbsd}/bin/nc -z ${hiddenReceiver} 1337; do sleep 1; done && \
                  echo "torify ssh root@$(cat ${hiddenServiceDir}/hostname) -i ~/.ssh/id_rsa" | ${pkgs.tor}/bin/torify ${pkgs.nmap}/bin/ncat ${hiddenReceiver} 1337
              '';
              PrivateTmp = "true";
              User = "tor";
              Type = "oneshot";
            };
          };
        };
    }
  ];
}