{ config, pkgs, lib, ... }: {
  imports = [
    ./hardware-configuration.nix
  ];

  # Workaround for https://github.com/NixOS/nix/issues/8502
  services.logrotate.checkConfig = false;

  boot.tmp.cleanOnBoot = true;
  zramSwap.enable = true;
  networking.hostName = "nixos";
  networking.domain = "";

  # === Firewall ===
  networking.firewall = {
    enable = true;
    allowedTCPPorts = [ 22 ]; # SSH (80/443 added by nginx module)
    allowPing = false;
  };

  # === SSH Hardening ===
  services.openssh = {
    enable = true;
    settings = {
      PermitRootLogin = "no";
      PasswordAuthentication = false;
    };
  };

  # === User Account ===
  users.users.ashie = {
    isNormalUser = true;
    extraGroups = [ "wheel" ];
    openssh.authorizedKeys.keys = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII0OjmlFPbz/H0sv+Y7L+rHR7KCD9lL7HIevEnqy48qH ashisgreat22@github.com"
    ];
  };

  # === Sudo without password for wheel group ===
  security.sudo.wheelNeedsPassword = false;

  # === SOPS (Secrets Management) ===
  sops = {
    defaultSopsFile = ./secrets/secrets.yaml;
    defaultSopsFormat = "yaml";
    age.keyFile = "/var/lib/sops-nix/key.txt";
    # Generate with: nix-shell -p age --run "age-keygen -o key.txt"
    # Then add the public key to .sops.yaml
  };

  # === Automatic Updates ===
  system.autoUpgrade = {
    enable = true;
    allowReboot = false;
  };

  system.stateVersion = "23.11";

  environment.systemPackages = with pkgs; [
    vim
    wget
    git
    nano
    kitty.terminfo
    htop
    tmux
  ];

  nix.settings.experimental-features = [ "nix-command" "flakes" ];

  # === SearXNG ===
  myModules.searxng = {
    enable = true;
    port = 8888;
    domain = "search.ashisgreat.xyz"; # Change to your domain
    instanceName = "Ashie Search";
  };

  # === Nginx Reverse Proxy ===
  myModules.nginx = {
    enable = true;
    email = "info@ashisgreat.xyz";
    domains = {
      "search.ashisgreat.xyz" = {
        port = 8888;
      };
    };
  };

  # === OpenClaw ===
  myModules.openclaw-podman = {
    enable = true;
    port = 18789;
    domain = "openclaw.ashisgreat.xyz";
  };

  # OpenClaw secrets
  sops.secrets.openclaw_discord_token = { };
  sops.secrets.openclaw_zai_api_key = { };
  sops.secrets.openclaw_brave_api_key = { };

  sops.templates."openclaw.env" = {
    content = ''
      DISCORD_TOKEN=${config.sops.placeholder.openclaw_discord_token}
      ZAI_API_KEY=${config.sops.placeholder.openclaw_zai_api_key}
      BRAVE_API_KEY=${config.sops.placeholder.openclaw_brave_api_key}
    '';
  };
}