{
  config,
  lib,
  pkgs,
  ...
}:

{
  imports = [
    ../template2/hardware-configuration.nix

    ../../system
    ../../common/vm
  ];

  # Host metadata (adjust as needed)
  homelab.host = {
    tier = "test";  # Start in test tier, move to prod after validation
  };

  # Enable Vault integration
  vault.enable = true;

  # Enable remote deployment via NATS
  homelab.deploy.enable = true;

  nixpkgs.config.allowUnfree = true;
  boot.loader.grub.enable = true;
  boot.loader.grub.device = "/dev/vda";

  networking.hostName = "testvm01";
  networking.domain = "home.2rjus.net";
  networking.useNetworkd = true;
  networking.useDHCP = false;
  services.resolved.enable = true;
  networking.nameservers = [
    "10.69.13.5"
    "10.69.13.6"
  ];

  systemd.network.enable = true;
  systemd.network.networks."ens18" = {
    matchConfig.Name = "ens18";
    address = [
      "10.69.13.20/24"
    ];
    routes = [
      { Gateway = "10.69.13.1"; }
    ];
    linkConfig.RequiredForOnline = "routable";
  };
  time.timeZone = "Europe/Oslo";

  nix.settings.experimental-features = [
    "nix-command"
    "flakes"
  ];
  nix.settings.tarball-ttl = 0;
  environment.systemPackages = with pkgs; [
    vim
    wget
    git
  ];

  # Test nginx with ACME certificate from OpenBao PKI
  services.nginx = {
    enable = true;
    virtualHosts."testvm01.home.2rjus.net" = {
      forceSSL = true;
      enableACME = true;
      locations."/" = {
        root = pkgs.writeTextDir "index.html" ''
          <!DOCTYPE html>
          <html>
          <head>
            <title>testvm01 - ACME Test</title>
            <style>
              body { font-family: monospace; max-width: 600px; margin: 50px auto; padding: 20px; }
              .joke { background: #f0f0f0; padding: 20px; border-radius: 8px; margin: 20px 0; }
              .punchline { margin-top: 15px; font-weight: bold; }
            </style>
          </head>
          <body>
            <h1>OpenBao PKI ACME Test</h1>
            <p>If you're seeing this over HTTPS, the migration worked!</p>
            <div class="joke">
              <p>Why do programmers prefer dark mode?</p>
              <p class="punchline">Because light attracts bugs.</p>
            </div>
            <p><small>Certificate issued by: vault.home.2rjus.net</small></p>
          </body>
          </html>
        '';
      };
    };
  };

  # Open ports in the firewall.
  # networking.firewall.allowedTCPPorts = [ ... ];
  # networking.firewall.allowedUDPPorts = [ ... ];
  # Or disable the firewall altogether.
  networking.firewall.enable = false;

  system.stateVersion = "25.11"; # Did you read the comment?
}