{ config, pkgs, lib, ... }: {
  imports = [
    ./hardware-configuration.nix
  ];

  # Workaround for https://github.com/NixOS/nix/issues/8502
  services.logrotate.checkConfig = false;

  boot.tmp.cleanOnBoot = true;
  zramSwap.enable = true;
  networking.hostName = "nixos";
  networking.domain = "";

  # === Firewall ===
  networking.firewall = {
    enable = true;
    allowedTCPPorts = [ 22 ]; # SSH (80/443 added by nginx module)
    allowPing = false;
  };

  # === SSH Hardening ===
  services.openssh = {
    enable = true;
    settings = {
      PermitRootLogin = "no";
      PasswordAuthentication = false;
    };
  };

  # === User Account ===
  users.users.ashie = {
    isNormalUser = true;
    extraGroups = [ "wheel" ];
    openssh.authorizedKeys.keys = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII0OjmlFPbz/H0sv+Y7L+rHR7KCD9lL7HIevEnqy48qH ashisgreat22@github.com"
    ];
  };

  # === Sudo without password for wheel group ===
  security.sudo.wheelNeedsPassword = false;

  # === SOPS (Secrets Management) ===
  sops = {
    defaultSopsFile = ./secrets/secrets.yaml;
    defaultSopsFormat = "yaml";
    age.keyFile = "/var/lib/sops-nix/key.txt";
    # Generate with: nix-shell -p age --run "age-keygen -o key.txt"
    # Then add the public key to .sops.yaml
  };

  # === Automatic Updates ===
  system.autoUpgrade = {
    enable = true;
    allowReboot = false;
  };

  system.stateVersion = "23.11";

  environment.systemPackages = with pkgs; [
    vim
    wget
    git
    nano
    kitty.terminfo
    htop
    tmux
  ];

  nix.settings.experimental-features = [ "nix-command" "flakes" ];

  # === SearXNG ===
  myModules.searxng = {
    enable = true;
    port = 8888;
    domain = "search.ashisgreat.xyz"; # Change to your domain
    instanceName = "Ashie Search";
  };

  # === Nginx Reverse Proxy ===
  myModules.nginx = {
    enable = true;
    email = "info@ashisgreat.xyz";
    domains = {
      "search.ashisgreat.xyz" = {
        port = 8888;
      };
    };
  };

  # === OpenClaw ===
  myModules.openclaw-podman = {
    enable = true;
    port = 18789;
    domain = "openclaw.ashisgreat.xyz";
  };

  # OpenClaw secrets
  sops.secrets.openclaw_discord_token = { };
  sops.secrets.openclaw_zai_api_key = { };

  sops.templates."openclaw.env" = {
    content = ''
      DISCORD_TOKEN=${config.sops.placeholder.openclaw_discord_token}
      ZAI_API_KEY=${config.sops.placeholder.openclaw_zai_api_key}
    '';
  };

  sops.templates."openclaw_config.json" = {
    content = builtins.toJSON {
      gateway = {
        port = 18789;
        bind = "0.0.0.0";
        trustedProxies = ["::1", "127.0.0.1", "10.88.0.0/16", "10.89.0.0/16"];
        auth = {
          mode = "none";
        };
        controlUi = {
          dangerouslyAllowHostHeaderOriginFallback = true;
          allowedOrigins = ["*"];
        };
      };
      channels = {
        discord = {
          enabled = true;
          groupPolicy = "open";
          dmPolicy = "open";
          allowFrom = ["*"];
        };
      };
      agents = {
        defaults = {
          model = {
            primary = "zai/glm-5";
          };
        };
      };
      models = {
        providers = {
          zai = {
            baseUrl = "https://api.z.ai/api/coding/paas/v4";
            apiKey = "\${ZAI_API_KEY}";
            api = "openai-completions";
            models = [
              { id = "glm-4.7"; name = "GLM 4.7"; contextWindow = 128000; maxTokens = 131072; }
              { id = "glm-5"; name = "GLM 5"; contextWindow = 128000; maxTokens = 131072; }
              { id = "glm-5-turbo"; name = "GLM 5 Turbo"; contextWindow = 128000; maxTokens = 131072; }
              { id = "glm-4.5-air"; name = "GLM 4.5 Air"; contextWindow = 128000; maxTokens = 131072; }
              { id = "glm-4.7-flash"; name = "GLM 4.7 Flash"; contextWindow = 128000; maxTokens = 131072; }
            ];
          };
        };
      };
    };
  };
}