{ lib, pkgs, ... }:

let
  pinnedK8s = lib.attrByPath [ "kubernetes_1_31" ] pkgs.kubernetes pkgs;
in

{
  imports =
    lib.optional (builtins.pathExists ./hardware-configuration.nix)
      ./hardware-configuration.nix;

  networking.hostName = "k8s-base-template";
  networking.useDHCP = lib.mkDefault true;
  networking.nameservers = [ "1.1.1.1" "8.8.8.8" ];

  boot.loader.systemd-boot.enable = lib.mkForce false;
  boot.loader.grub = {
    enable = true;
    device = "/dev/sda";
  };

  services.qemuGuest.enable = true;
  services.openssh.enable = true;
  services.openssh.settings = {
    PasswordAuthentication = false;
    KbdInteractiveAuthentication = false;
    PermitRootLogin = "prohibit-password";
  };

  boot.kernelModules = [ "overlay" "br_netfilter" ];
  boot.kernel.sysctl = {
    "net.ipv4.ip_forward" = 1;
    "net.bridge.bridge-nf-call-iptables" = 1;
    "net.bridge.bridge-nf-call-ip6tables" = 1;
  };

  virtualisation.containerd.enable = true;
  virtualisation.containerd.settings = {
    plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options.SystemdCgroup = true;
  };

  swapDevices = lib.mkForce [ ];

  nix.settings = {
    trusted-users = [ "root" "micqdf" ];
    auto-optimise-store = true;
  };

  nix.gc = {
    automatic = true;
    dates = "daily";
    options = "--delete-older-than 3d";
  };

  programs.fish.enable = true;

  users.users.micqdf = {
    isNormalUser = true;
    extraGroups = [ "wheel" ];
    shell = pkgs.fish;
  };

  security.sudo.wheelNeedsPassword = false;

  environment.systemPackages = with pkgs; [
    btop
    cni-plugins
    conntrack-tools
    containerd
    cri-tools
    curl
    dig
    ebtables
    ethtool
    eza
    fd
    fzf
    git
    htop
    iproute2
    iptables
    ipvsadm
    jq
    kubernetes-helm
    pinnedK8s
    ripgrep
    socat
    tree
    unzip
    vim
    neovim
    wget
  ];

  system.stateVersion = "25.05";
}