{ config, pkgs, ... }:

{
  # Minimal system packages
  environment.systemPackages = with pkgs; [
    vim
    nano
    git
    curl
    htop
    tmux
    rsync
    ncdu
    iotop
    nethogs
    lsof
    strace
    jq
    tree
    unzip
    zip
    pciutils
    usbutils
    smartmontools
    lm_sensors
    nmap
    tcpdump
    nettools
    bind.dnsutils
    openssl
    ethtool
    sysstat
    logrotate
    cron
  ];

  # Nix optimization and garbage collection
  nix.settings = {
    auto-optimise-store = true;
    allowed-users = [ "@users" ];
  };
  nix.gc = {
    automatic = true;
    dates = "weekly";
    options = "--delete-older-than 90d";
  };

  # Docker configuration
  virtualisation.docker.enable = true;

  # Bootloader configuration
  boot.loader = {
    systemd-boot.enable = true;
    efi.canTouchEfiVariables = true;
  };

  # SSH Server configuration
  services.openssh = {
    enable = true;
    ports = [ 222 ];
    settings = {
      PasswordAuthentication = false;
      # Disable root SSH login entirely
      PermitRootLogin = "no";
    };
  };

  # SSHGuard — monitors logs for brute-force attempts and blocks offending IPs
  services.sshguard.enable = true;

  # Security — passwordless sudo for wheel group
  security.sudo = {
    enable = true;
    wheelNeedsPassword = false;
  };

  # User configuration
  users.users.kawaiipunk = {
    isNormalUser = true;
    # wheel group enables sudo access
    extraGroups = [ "wheel" "docker" ];
    openssh.authorizedKeys.keys = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMniNzAzuI527bfk/EipqFILFayUCwYXDoZ3R7+QgYq6 kawaiipunk@ZeroCool"
    ];
  };

  # Firewall configuration — only expose HTTP, HTTPS, and SSH
  networking.firewall = {
    enable = true;
    allowedTCPPorts = [ 80 443 222 ];
  };

  # VM configuration (used when building with nixos-rebuild build-vm)
  virtualisation.vmVariant = {
    virtualisation = {
      memorySize = 2048;
      cores = 2;
    };
  };

  system.stateVersion = "25.05";
}