{ lib, pkgs, modulesPath, ... }:
let
  fetchOciAuthorizedKeys = pkgs.writeShellApplication {
    name = "fetch-oci-authorized-keys";
    runtimeInputs = [
      pkgs.coreutils
      pkgs.curl
    ];
    text = ''
      install -d -m 0700 -o alisceon -g users /home/alisceon/.ssh

      if [ -s /home/alisceon/.ssh/authorized_keys ]; then
        echo "OCI authorized_keys already present for alisceon"
        exit 0
      fi

      curl --fail --silent --show-error --location \
        --header "Authorization: Bearer Oracle" \
        --output /home/alisceon/.ssh/authorized_keys \
        http://169.254.169.254/opc/v2/instance/metadata/ssh_authorized_keys

      chown alisceon:users /home/alisceon/.ssh/authorized_keys
      chmod 0600 /home/alisceon/.ssh/authorized_keys
    '';
  };
in
{
  imports = [
    "${modulesPath}/virtualisation/oci-image.nix"
  ];

  nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";

  networking = {
    hostName = "alisceon-core";
    networkmanager.enable = lib.mkForce false;
  };

  boot.initrd.availableKernelModules = [
    "virtio_pci"
    "virtio_blk"
    "virtio_scsi"
    "virtio_net"
    "xhci_pci"
  ];

  users.users.alisceon.extraGroups = [ "systemd-journal" ];

  security.sudo-rs.wheelNeedsPassword = false;

  services.openssh.settings = {
    PasswordAuthentication = false;
    PermitRootLogin = lib.mkForce "prohibit-password";
  };

  services.cloud-init = {
    enable = true;
    network.enable = true;
    settings = {
      datasource_list = [ "Oracle" "ConfigDrive" "NoCloud" ];
      users = [ "default" ];
      system_info.default_user = {
        name = "alisceon";
        gecos = "Alisceon";
        groups = [ "wheel" "systemd-journal" ];
        shell = "/run/current-system/sw/bin/xonsh";
        lock_passwd = true;
      };
    };
  };

  systemd.services.fetch-oci-authorized-keys = {
    description = "Fetch OCI metadata authorized_keys for alisceon";
    wantedBy = [ "sshd.service" ];
    before = [ "sshd.service" ];
    after = [ "network-online.target" ];
    wants = [ "network-online.target" ];
    serviceConfig = {
      Type = "oneshot";
      RemainAfterExit = true;
      StandardError = "journal+console";
      StandardOutput = "journal+console";
    };
    script = lib.getExe fetchOciAuthorizedKeys;
  };

  systemd.services.fetch-ssh-keys.enable = false;

  environment.systemPackages = with pkgs; [
    curl
    git
    htop
    jq
    vim
    wget
  ];

  system.stateVersion = lib.mkForce "25.11";
}