{
  config,
  lib,
  pkgs,
  ...
}:

{
  imports = [
    ./hardware-configuration.nix
    ../../system/sshd.nix
  ];

  # Root user with no password but SSH key access for bootstrapping
  users.users.root = {
    hashedPassword = "";
    openssh.authorizedKeys.keys = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAwfb2jpKrBnCw28aevnH8HbE5YbcMXpdaVv2KmueDu6 torjus@gunter"
    ];
  };

  # Proxmox image-specific configuration
  # Configure storage to use local-zfs instead of local-lvm
  image.modules.proxmox = {
    proxmox.qemuConf.virtio0 = lib.mkForce "local-zfs:vm-9999-disk-0";
    proxmox.qemuConf.boot = lib.mkForce "order=virtio0";
    proxmox.cloudInit.defaultStorage = lib.mkForce "local-zfs";
  };

  # Configure cloud-init to use ConfigDrive datasource (used by Proxmox)
  services.cloud-init.settings = {
    datasource_list = [ "ConfigDrive" "NoCloud" ];
  };

  homelab.host = {
    tier = "test";
    priority = "low";
    labels.ansible = "false";  # Exclude from Ansible inventory
  };

  boot.loader.grub.enable = true;
  boot.loader.grub.device = "/dev/vda";
  networking.hostName = "nixos-template2";
  networking.domain = "home.2rjus.net";
  networking.useNetworkd = true;
  networking.useDHCP = false;
  services.resolved.enable = true;

  systemd.network.enable = true;
  systemd.network.networks."ens18" = {
    matchConfig.Name = "ens18";
    networkConfig.DHCP = "ipv4";
    linkConfig.RequiredForOnline = "routable";
  };
  time.timeZone = "Europe/Oslo";

  nix.settings.experimental-features = [
    "nix-command"
    "flakes"
  ];
  nix.settings.tarball-ttl = 0;
  nix.settings.substituters = [
    "https://nix-cache.home.2rjus.net"
    "https://cache.nixos.org"
  ];
  nix.settings.trusted-public-keys = [
    "nix-cache.home.2rjus.net-1:2kowZOG6pvhoK4AHVO3alBlvcghH20wchzoR0V86UWI="
    "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
  ];
  environment.systemPackages = with pkgs; [
    age
    vim
    wget
    git
  ];

  # Open ports in the firewall.
  # networking.firewall.allowedTCPPorts = [ ... ];
  # networking.firewall.allowedUDPPorts = [ ... ];
  # Or disable the firewall altogether.
  networking.firewall.enable = false;

  # Compressed swap in RAM - prevents OOM during bootstrap nixos-rebuild
  zramSwap.enable = true;

  system.stateVersion = "25.11";
}