{ lib, pkgs, ... }:

{
  imports =
    lib.optional (builtins.pathExists ./hardware-configuration.nix)
      ./hardware-configuration.nix;

  networking.hostName = "nixos-template";
  networking.useDHCP = lib.mkDefault true;
  networking.nameservers = [ "1.1.1.1" "8.8.8.8" ];

  boot.loader.systemd-boot.enable = lib.mkForce false;
  boot.loader.grub = {
    enable = true;
    device = "/dev/sda";
  };

  services.qemuGuest.enable = true;
  services.openssh.enable = true;
  services.tailscale.enable = true;
  services.openssh.settings = {
    PasswordAuthentication = false;
    KbdInteractiveAuthentication = false;
    PermitRootLogin = "prohibit-password";
  };

  programs.fish.enable = true;

  users.users.micqdf = {
    isNormalUser = true;
    extraGroups = [ "wheel" ];
    shell = pkgs.fish;
    openssh.authorizedKeys.keys = [
      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDyfhho9WSqK2OWxizt45Q5KHgox3uVWDnbvMBJaDnRph6CZeKmzaS60/+HN/o7MtIm+q86TfdYeWJVt4erPEvrYN8AWfvCWi+hP2Y0l18wS8GEA+efEXyQ5CLCefraXvIneORObKetzO73bq0HytDRXDowc4J0NcbEFB7ncf2RqVTC6QRlNPRD3jHLkUeKXVmyteNgTtGdMz4MFHCC7xtzgL7kEuuHDEWuVhPkK+dkeGBejq+RzkYcd8v37L7NjFZCK91jANBVcQnTLQVUVVlMovVPyoaROn4N8KpIhb85SYZIJGUEKMhmCowb2NnZLJNC07qn8sz1dmNZO635aquuWMhZTevCySJjvIuMxDSffhBaAjkK1aVixMCW3jyzbpFIEG6FOj27TpcMnen6a0j0AecdCKgXI/Ezb08pj9qmVppAvJPyYoqN4OwHNHGWb8U2X3GghFesei8ZmBgch12RkIaXYxVzkNqv3FG4kAMFMEnGe4e6aqAAuDzUIkcjsPl2XrNJp+pxnPWDc7EMTKPUuKIcteXVDgCVgufQjPBO5/DgUyygLTzt8py9sZyyFDsqRAZ6E3IzBpxyWfUOoN81mUL6G31pZ/1b3YKpNs7DuqvP/aXIvb94o8KsLPQeoG7L2ulcOWX7I0yhlAgd8QUjhNoNq3mK/sQylq9Zy63GhQ=="
    ];
    # optional while testing noVNC login:
    # initialPassword = "changeme123";
  };

  security.sudo.wheelNeedsPassword = false;

  systemd.services.tailscale-firstboot = {
    description = "One-time Tailscale enrollment";
    after = [ "network-online.target" "tailscaled.service" ];
    wants = [ "network-online.target" "tailscaled.service" ];
    wantedBy = [ "multi-user.target" ];
    serviceConfig = {
      Type = "oneshot";
      RemainAfterExit = true;
    };
    script = ''
      if [ ! -s /etc/tailscale/authkey ]; then
        exit 0
      fi

      key="$(cat /etc/tailscale/authkey)"
      ts_hostname=""
      if [ -s /etc/tailscale/hostname ]; then
        ts_hostname="--hostname=$(cat /etc/tailscale/hostname)"
      fi

      rm -f /var/lib/tailscale/tailscaled.state
      ${pkgs.tailscale}/bin/tailscale up --reset --auth-key="$key" $ts_hostname

      rm -f /etc/tailscale/authkey
      rm -f /etc/tailscale/hostname
    '';
  };

  environment.systemPackages = with pkgs; [
    btop
    curl
    dig
    eza
    fd
    fzf
    git
    htop
    jq
    ripgrep
    tailscale
    tree
    unzip
    vim
    neovim
    wget
  ];

  system.stateVersion = "25.05";
}