{ config, pkgs, lib, repoLocalPath, ... }:
let
  autoUpgradeUser = "alisceon";
  flakeRef = "path:${repoLocalPath}";
in
{
  boot = {
    kernelPackages = lib.mkDefault pkgs.linuxPackages_latest;
    kernel.sysctl = {
      "net.ipv4.ip_unprivileged_port_start" = 0;
    };
    initrd = {
      network = {
        ssh.shell = pkgs.bash;
      };
    };
  };

  security.sudo-rs.enable = true;
  system.stateVersion = "24.05";

  system.autoUpgrade = {
    enable = true;
    persistent = true;
    flake = flakeRef;
    upgrade = false;
    flags = [
      "--print-build-logs"
      "--no-write-lock-file"
    ];
    dates = "03:40";
    fixedRandomDelay = true;
    randomizedDelaySec = "2h";
    runGarbageCollection = true;
  };

  systemd.services.nixos-upgrade.preStart = ''
    ${pkgs.util-linux}/bin/runuser -u ${autoUpgradeUser} -- ${lib.getExe config.nix.package} flake update --flake ${lib.escapeShellArg flakeRef}
  '';

  nix = {
    settings = {
      experimental-features = [ "nix-command" "flakes" ];
      auto-optimise-store = true;
      min-free = 1024 * 1024 * 1024;
      max-free = 5 * 1024 * 1024 * 1024;
      trusted-users = [ "root" "alisceon" ];
    };
    gc = {
      automatic = true;
      persistent = true;
      dates = "weekly";
      randomizedDelaySec = "2h";
      options = "--delete-older-than 14d";
    };
    registry = {
      templates.to = {
        type = "git";
        url = "git+ssh://git@git.malice.zone/alisceon/devenv_templates.git";
      };
      nixpkgs.to = {
        type = "github";
        owner = "NixOS";
        repo = "nixpkgs";
        ref = "nixos-25.11";
      };
      nixpkgs-stable.to = {
        type = "github";
        owner = "NixOS";
        repo = "nixpkgs";
        ref = "nixos-25.11";
      };
    };
  };

  boot.loader.systemd-boot.configurationLimit = lib.mkDefault 10;

  console.keyMap = "sv-latin1";
  networking.networkmanager.enable = true;
  time.timeZone = "Europe/Stockholm";
  i18n.defaultLocale = "en_US.UTF-8";
  i18n.extraLocaleSettings = {
    LC_ADDRESS = "sv_SE.UTF-8";
    LC_IDENTIFICATION = "sv_SE.UTF-8";
    LC_MEASUREMENT = "sv_SE.UTF-8";
    LC_MONETARY = "sv_SE.UTF-8";
    LC_NAME = "sv_SE.UTF-8";
    LC_NUMERIC = "sv_SE.UTF-8";
    LC_PAPER = "sv_SE.UTF-8";
    LC_TELEPHONE = "sv_SE.UTF-8";
    LC_TIME = "sv_SE.UTF-8";
  };

  environment = {
    systemPackages = with pkgs; [
      libressl
      git
      wget
      curl
      btop
      ripgrep
      fd
      nh
      jq
      ncdu
      pciutils
      usbutils
      tree
      fzf
      psmisc
      pv
      file
      nix-tree
      unzip
      lsd
      bash
      nushell
      fish
      powershell
      python3
      python3Packages.python-lsp-server
      podman
    ];

    shells = with pkgs; [
      bash
      nushell
      fish
      powershell
      xonsh
    ];

    etc."current-system-packages".text =
      let
        packages = builtins.map (p: "${p.name}:\t${p}") config.environment.systemPackages;
        sortedUnique = builtins.sort builtins.lessThan (pkgs.lib.lists.unique packages);
      in
      pkgs.lib.strings.concatLines sortedUnique;
  };

  virtualisation = {
    libvirtd = {
      enable = true;
      qemu.swtpm.enable = true;
    };
    containers.enable = true;
    docker.enable = true;
    podman = {
      enable = true;
      dockerCompat = false;
      defaultNetwork.settings.dns_enabled = true;
    };
    oci-containers.backend = "podman";
  };

  users = {
    defaultUserShell = pkgs.bash;
    groups.docker = { };
    users.alisceon = {
      isNormalUser = true;
      extraGroups = [ "wheel" "networkmanager" "podman" "docker" "libvirtd" ];
      shell = pkgs.xonsh;
      openssh.authorizedKeys.keys = [
        "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPN1Cd2UlHo03Jqgi5Yb4io/3gh/X4wCb8LcmKlpAovQa271CKDBtYOUKn+Fts03g6dBMfaWMty6VGPMGDMONmc= alisceon@electra"
        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCvRYyYjN8z0yoPrHtaTQXY0iEtPl79K6/uXVceuS+31JGjRnqJjuDYg6KxAykGSfhercNdAJ2BTYJRGpMsW0Xn7+iq07TItcjJjERm7rjQZko4vauS62NdnV6BEG+6ktasb9CcepzwoRkLEXQOad3XbLbo0V2sj6uI5Rgq2Cfh6f9x1E1DJ87o6Ngkm+vQzdv4NYeya/O4vuoAw6BNhp4vyr9k+0K+TRLjflYPUwtb8U/agoYI5RoLZMa6eBKdPbLVYyahpMlYjHwr90H4c9veHliILcDSA8h6upcXSDwZiCPyu6cI4zRbzGQVg84iLmIs5ocMWsnuDQbqn5iM3BTV37atnTPI3O2C9WBxuOaGpk4C338V0CAfTo6GG/OSaFzfLBFE29nY6uXcCPH7KiDpig0naVWlpHZhED5OQRoSXBeyu4BgadV6eZ43HOcdbOAqbLcB1nvkKPi52Vj+JqwS8zIjQpipX22Trx2u4ike99ijeK6/XeoTnEAcUS0fcYQ0FDqqfLmr/HuxkEQ2NZF0sFFqVGUlpVJMFblNOH4L8A2kApnsrmlxnlVE+r0tTnnnK5tfCpyou/LPDM+4TzGw2nV2cwsZKbGaHvMM/qIvVva90mTcYfuDvGB10eQ2P9tN1TIjseONVLDVKNjNGzDBFY4RMeMJOWWQy0aBh0FP5Q== user@hannah.afk"
      ];
    };
  };

  programs = {
    command-not-found.enable = true;
    fzf.fuzzyCompletion = true;
    xonsh = {
      enable = true;
      extraPackages = ps: with ps; [
        pyperclip
        xonsh.xontribs.xonsh-direnv
        pkgs.nur.repos.xonsh-xontribs.xontrib-fish-completer
        pkgs.nur.repos.xonsh-xontribs.xontrib-abbrevs
        pkgs.nur.repos.xonsh-xontribs.xontrib-clp
        pkgs.nur.repos.xonsh-xontribs.xontrib-bashisms
        (
          ps.buildPythonPackage
          rec {
            name = "xontrib-fzf-completions";
            version = "v0.0.2";
            format = "pyproject";
            nativeBuildInputs = [ ps.setuptools ps.setuptools-scm ps.wheel ];
            propagatedBuildInputs = [ ps.xonsh ];
            src = pkgs.fetchFromGitHub {
              owner = "doronz88";
              repo = "${name}";
              rev = "${version}";
              sha256 = "sha256-1z5xHX4Psevn8686QkwIzv/LOJ5IMJc2nQ5Hg/2svTc=";
            };
            meta = {
              homepage = "https://github.com/doronz88/xontrib-fzf-completions";
              description = "fuzzy completions for xonsh";
              license = pkgs.lib.licenses.mit;
              maintainers = [ ];
            };
          }
        )
      ];
      config = builtins.readFile ../../home/conf/xonsh/xonshrc;
    };
  };
}