{ lib, pkgs, modulesPath, ... }:
let
  siteDomain = "blogbox.alisceon.com";
  repoDir = "/home/alisceon/blogbox-site";
  stateDir = "/var/lib/blogbox";
  publicDir = "${stateDir}/www";

  updateBlogboxSite = pkgs.writeShellApplication {
    name = "update-blogbox-site";
    runtimeInputs = [
      pkgs.coreutils
      pkgs.git
      pkgs.hugo
      pkgs.rsync
    ];
    text = ''
      set -euo pipefail

      if [ ! -d ${lib.escapeShellArg repoDir}/.git ]; then
        echo "${repoDir} is not a git checkout yet; skipping Hugo publish"
        exit 0
      fi

      install -d -m 0755 ${lib.escapeShellArg stateDir} ${lib.escapeShellArg publicDir}

      git -C ${lib.escapeShellArg repoDir} pull --ff-only
      git -C ${lib.escapeShellArg repoDir} submodule sync --recursive
      git -C ${lib.escapeShellArg repoDir} submodule update --init --recursive

      rm -rf ${lib.escapeShellArg stateDir}/hugo-public
      hugo \
        --source ${lib.escapeShellArg repoDir} \
        --destination ${lib.escapeShellArg stateDir}/hugo-public \
        --minify \
        --cleanDestinationDir

      rsync -a --delete ${lib.escapeShellArg stateDir}/hugo-public/ ${lib.escapeShellArg publicDir}/
    '';
  };
in
{
  imports = [
    "${modulesPath}/virtualisation/oci-image.nix"
    ../../modules/services/cloud-init.nix
    ../../modules/services/nginx.nix
    ../../modules/services/oci-authorized-keys.nix
  ];

  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";

  networking = {
    hostName = "blogbox";
    networkmanager.enable = lib.mkForce false;
    useDHCP = lib.mkDefault true;
    firewall.allowedTCPPorts = [
      22
      80
      443
    ];
  };

  boot = {
    kernelPackages = lib.mkForce pkgs.linuxPackages;
    loader.systemd-boot.configurationLimit = lib.mkForce 3;
  };

  documentation = {
    enable = lib.mkForce false;
    man.enable = lib.mkForce false;
    doc.enable = lib.mkForce false;
    info.enable = lib.mkForce false;
    nixos.enable = lib.mkForce false;
  };

  environment = {
    defaultPackages = lib.mkForce [ ];
    shells = lib.mkForce [ pkgs.bash ];
    systemPackages = lib.mkForce (with pkgs; [
      curl
      git
      hugo
      vim
    ]);
  };

  programs = {
    command-not-found.enable = lib.mkForce false;
    fish.enable = lib.mkForce false;
    fzf.fuzzyCompletion = lib.mkForce false;
    xonsh.enable = lib.mkForce false;
  };

  users = {
    defaultUserShell = lib.mkForce pkgs.bash;
    users.alisceon = {
      createHome = true;
      extraGroups = lib.mkForce [ "wheel" "systemd-journal" ];
      shell = lib.mkForce pkgs.bash;
    };
  };

  alisceon = {
    cloud-init.enable = true;
    ociAuthorizedKeys.enable = true;
  };

  nix = {
    settings = {
      min-free = lib.mkForce (256 * 1024 * 1024);
      max-free = lib.mkForce (1024 * 1024 * 1024);
    };
    gc = {
      dates = lib.mkForce "daily";
      options = lib.mkForce "--delete-older-than 3d";
    };
  };

  security = {
    acme = {
      acceptTerms = true;
      defaults.email = "acme@alisceon.com";
    };
    sudo-rs.wheelNeedsPassword = false;
  };

  services = {
    openssh.settings = {
      PasswordAuthentication = false;
      PermitRootLogin = lib.mkForce "prohibit-password";
    };

    journald.extraConfig = ''
      SystemMaxUse=64M
      RuntimeMaxUse=32M
    '';

    nginx.virtualHosts.${siteDomain} = {
      serverName = siteDomain;
      forceSSL = true;
      enableACME = true;
      root = publicDir;
      locations."/".extraConfig = ''
        try_files $uri $uri/ =404;
      '';
    };
  };

  systemd = {
    tmpfiles.rules = [
      "d ${repoDir} 0755 alisceon users - -"
      "d ${stateDir} 0755 alisceon users - -"
      "d ${publicDir} 0755 alisceon users - -"
    ];

    services.update-blogbox-site = {
      description = "Pull and publish the Blogbox Hugo site";
      after = [ "network-online.target" ];
      wants = [ "network-online.target" ];
      serviceConfig = {
        Type = "oneshot";
        User = "alisceon";
        Group = "users";
        ExecStart = lib.getExe updateBlogboxSite;
        Nice = 10;
        IOSchedulingClass = "idle";
        LockPersonality = true;
        NoNewPrivileges = true;
        PrivateDevices = true;
        PrivateIPC = true;
        ProtectClock = true;
        ProtectControlGroups = true;
        ProtectHostname = true;
        ProtectKernelLogs = true;
        ProtectKernelModules = true;
        ProtectKernelTunables = true;
        ProtectSystem = "strict";
        ReadWritePaths = [
          repoDir
          stateDir
        ];
        RestrictAddressFamilies = [
          "AF_INET"
          "AF_INET6"
          "AF_UNIX"
        ];
        RestrictNamespaces = true;
        RestrictRealtime = true;
        SystemCallArchitectures = "native";
        UMask = "0022";
      };
    };

    timers.update-blogbox-site = {
      wantedBy = [ "timers.target" ];
      timerConfig = {
        OnCalendar = "5m";
        Persistent = true;
      };
    };
  };

  zramSwap = {
    enable = true;
    memoryPercent = 50;
  };

  swapDevices = [
    {
      device = "/swapfile";
      size = 8 * 1024;
    }
  ];

  virtualisation = {
    containers.enable = lib.mkForce false;
    docker.enable = lib.mkForce false;
    libvirtd = {
      enable = lib.mkForce false;
      qemu.swtpm.enable = lib.mkForce false;
    };
    podman.enable = lib.mkForce false;
  };

  system.stateVersion = lib.mkForce "25.11";
}