{ lib, pkgs, modulesPath, ... }:
let
  forgejoDomain = "git.alisceon.com";
  syncthingDomain = "syncthing.alisceon.com";

  fetchOciAuthorizedKeys = pkgs.writeShellApplication {
    name = "fetch-oci-authorized-keys";
    runtimeInputs = [
      pkgs.coreutils
      pkgs.curl
    ];
    text = ''
      install -d -m 0700 -o alisceon -g users /home/alisceon/.ssh

      if [ -s /home/alisceon/.ssh/authorized_keys ]; then
        echo "OCI authorized_keys already present for alisceon"
        exit 0
      fi

      curl --fail --silent --show-error --location \
        --header "Authorization: Bearer Oracle" \
        --output /home/alisceon/.ssh/authorized_keys \
        http://169.254.169.254/opc/v2/instance/metadata/ssh_authorized_keys

      chown alisceon:users /home/alisceon/.ssh/authorized_keys
      chmod 0600 /home/alisceon/.ssh/authorized_keys
    '';
  };

in
{
  imports = [
    "${modulesPath}/virtualisation/oci-image.nix"
    ../../modules/services/forgejo.nix
    ../../modules/services/nginx.nix
    ../../modules/services/tor.nix
  ];

  nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";

  networking = {
    hostName = "alisceon-core";
    networkmanager.enable = lib.mkForce false;
    firewall.allowedTCPPorts = [
      22
      80
      443
      22000
      24601
    ];
    firewall.allowedUDPPorts = [
      22000
    ];
  };

  boot = {
    initrd.availableKernelModules = [
      "virtio_pci"
      "virtio_blk"
      "virtio_scsi"
      "virtio_net"
      "xhci_pci"
    ];
    loader.systemd-boot.configurationLimit = lib.mkForce 3;
  };

  nix = {
    settings = {
      min-free = lib.mkForce (512 * 1024 * 1024);
      max-free = lib.mkForce (2 * 1024 * 1024 * 1024);
    };
    gc = {
      dates = lib.mkForce "daily";
      options = lib.mkForce "--delete-older-than 3d";
    };
  };

  virtualisation = {
    docker.enable = lib.mkForce false;
    podman = {
      enable = true;
      dockerSocket.enable = true;
      autoPrune = {
        enable = true;
        dates = "daily";
        flags = [ "--all" ];
      };
    };
  };

  users.users.alisceon.extraGroups = [ "systemd-journal" ];

  security = {
    acme = {
      acceptTerms = true;
      defaults.email = "acme@alisceon.com";
    };
    sudo-rs.wheelNeedsPassword = false;
  };

  services.openssh.settings = {
    PasswordAuthentication = false;
    PermitRootLogin = lib.mkForce "prohibit-password";
  };

  services.syncthing = {
    enable = true;
    dataDir = "/var/lib/syncthing";
    guiAddress = "127.0.0.1:8384";
    openDefaultPorts = false;
    overrideDevices = false;
    overrideFolders = false;
    settings = {
      gui = {
        insecureAdminAccess = false;
        insecureSkipHostcheck = false;
      };
      options = {
        globalAnnounceEnabled = false;
        localAnnounceEnabled = false;
        listenAddresses = [
          "tcp://0.0.0.0:22000"
          "quic://0.0.0.0:22000"
        ];
        natEnabled = false;
        relaysEnabled = false;
        urAccepted = -1;
      };
    };
  };

  alisceon.forgejo.domain = forgejoDomain;

  services.gitea-actions-runner.instances.alisceon-core-podman.labels = [
    "podman"
    "aarch64"
    "arm64"
  ];

  services.nginx.virtualHosts = {
    ${forgejoDomain} = {
      serverName = forgejoDomain;
      forceSSL = true;
      enableACME = true;
      locations."/" = {
        proxyPass = "http://127.0.0.1:3000";
        recommendedProxySettings = true;
      };
    };
    ${syncthingDomain} = {
      serverName = syncthingDomain;
      forceSSL = true;
      enableACME = true;
      locations."/" = {
        proxyPass = "http://127.0.0.1:8384";
        recommendedProxySettings = false;
        extraConfig = ''
          proxy_set_header Host $proxy_host;
          proxy_set_header X-Real-IP $remote_addr;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
          proxy_set_header X-Forwarded-Host $host;
          proxy_set_header X-Forwarded-Proto $scheme;
          proxy_read_timeout 600s;
          proxy_send_timeout 600s;
        '';
      };
    };
  };

  services.cloud-init = {
    enable = true;
    network.enable = true;
    settings = {
      datasource_list = [ "Oracle" "ConfigDrive" "NoCloud" ];
      users = [ "default" ];
      system_info.default_user = {
        name = "alisceon";
        gecos = "Alisceon";
        groups = [ "wheel" "systemd-journal" ];
        shell = "/run/current-system/sw/bin/xonsh";
        lock_passwd = true;
      };
    };
  };

  systemd.services.fetch-oci-authorized-keys = {
    description = "Fetch OCI metadata authorized_keys for alisceon";
    wantedBy = [ "sshd.service" ];
    before = [ "sshd.service" ];
    after = [ "network-online.target" ];
    wants = [ "network-online.target" ];
    serviceConfig = {
      Type = "oneshot";
      RemainAfterExit = true;
      StandardError = "journal+console";
      StandardOutput = "journal+console";
    };
    script = lib.getExe fetchOciAuthorizedKeys;
  };

  systemd.services.fetch-ssh-keys.enable = false;

  systemd.services.syncthing = {
    serviceConfig = {
      LockPersonality = true;
      PrivateIPC = true;
      ProcSubset = "pid";
      ProtectClock = true;
      ProtectHome = true;
      ProtectProc = "invisible";
      ProtectSystem = "strict";
      ReadWritePaths = [ "/var/lib/syncthing" ];
      RemoveIPC = true;
      RestrictAddressFamilies = [
        "AF_INET"
        "AF_INET6"
        "AF_NETLINK"
        "AF_UNIX"
      ];
      SystemCallArchitectures = "native";
      UMask = "0077";
    };
  };

  environment.systemPackages = with pkgs; [
    curl
    git
    htop
    jq
    vim
    wget
  ];

  system.stateVersion = lib.mkForce "25.11";
}