{ config, pkgs, modulesPath, lib, ... }:

{
  # We rely on the QEMU Guest Agent profile so that Proxmox can talk
  # to the VM’s guest-agent.
  imports = [
    # Enables QEMU Guest Agent support in the VM
    (modulesPath + "/profiles/qemu-guest.nix")
  ];

  config = {
    # Provide a default hostname
    networking.hostName = lib.mkDefault "base";
    # Allow unfree packages if you ever need them.
    nixpkgs.config.allowUnfree = true;

    # QEMU Guest Agent (Proxmox integration)
    # Ensure the qemu-guest-agent service is enabled so Proxmox can query
    # the VM for IPs, etc.
    services.qemuGuest.enable = lib.mkDefault true;

    # GRUB on the “boot drive”
    # Both live and template should install a bootloader on /dev/disk/by-label/nixos.
    boot.loader.grub.enable = lib.mkDefault true;
    boot.loader.grub.devices = [ "nodev" ];

    # Grow the root partition on first boot
    boot.growPartition = lib.mkDefault true;

    # Sudo: Do not require a password for wheel group
    security.sudo.wheelNeedsPassword = false;

    # OpenSSH: disable password‐based auth, only allow key‐based
    services.openssh = {
      enable = true;
      settings.PermitRootLogin = "prohibit-password";
      settings.PasswordAuthentication = false;
      settings.KbdInteractiveAuthentication = false;
    };

    programs.ssh.startAgent = true;

    # root SSH authorized_keys
    users.users.root.openssh.authorizedKeys.keys = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICUP7m8jZJiclZGfSje8CeBYFhX10SrdtjYziuChmj1X plasmagoat@macbook-air"
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGlzZWik5bbH6/xjiCpwo1SQSJ/J/Cv7y4ZQ45P68GLB forgejo-runner"
      "something"
    ];

    # Default filesystem on
    fileSystems."/" = lib.mkDefault {
      device = "/dev/disk/by-label/nixos";
      autoResize = true;   # grow on first boot
      fsType = "ext4";
    };

    # Timezone & Keyboard
    time.timeZone = "Europe/Copenhagen";
    console.keyMap = "dk-latin1";

    # Default set of packages
    environment.systemPackages = with pkgs; [
      vim    # emergencies
      git    # pulling flakes, code
      curl   # downloading things
    ];

    # Nix settings (cache, experimental, gc)
    nix.settings.trusted-users = [ "root" "@wheel" ];
    nix.settings.experimental-features = [ "nix-command" "flakes" ];
    nix.extraOptions = ''
        experimental-features = nix-command flakes
        keep-outputs = true
        keep-derivations = true
    '';
    nix.gc.automatic = true;
    nix.gc.dates     = "weekly";
    nix.gc.options   = "--delete-older-than 7d";

    system.stateVersion = lib.mkDefault "25.05";
  };
}