{
  config,
  lib,
  pkgs,
  ...
}:

let
  vault-test-script = pkgs.writeShellApplication {
    name = "vault-test";
    text = ''
      echo "=== Vault Secret Test ==="
      echo "Secret path: hosts/vaulttest01/test-service"

      if [ -f /run/secrets/test-service/password ]; then
        echo "✓ Password file exists"
        echo "Password length: $(wc -c < /run/secrets/test-service/password)"
      else
        echo "✗ Password file missing!"
        exit 1
      fi

      if [ -d /var/lib/vault/cache/test-service ]; then
        echo "✓ Cache directory exists"
      else
        echo "✗ Cache directory missing!"
        exit 1
      fi

      echo "Test successful!"
    '';
  };
in
{
  imports = [
    ../template2/hardware-configuration.nix

    ../../system
    ../../common/vm
  ];

  nixpkgs.config.allowUnfree = true;
  boot.loader.grub.enable = true;
  boot.loader.grub.device = "/dev/vda";

  networking.hostName = "vaulttest01";
  networking.domain = "home.2rjus.net";
  networking.useNetworkd = true;
  networking.useDHCP = false;
  services.resolved.enable = true;
  networking.nameservers = [
    "10.69.13.5"
    "10.69.13.6"
  ];

  systemd.network.enable = true;
  systemd.network.networks."ens18" = {
    matchConfig.Name = "ens18";
    address = [
      "10.69.13.150/24"
    ];
    routes = [
      { Gateway = "10.69.13.1"; }
    ];
    linkConfig.RequiredForOnline = "routable";
  };
  time.timeZone = "Europe/Oslo";

  nix.settings.experimental-features = [
    "nix-command"
    "flakes"
  ];
  nix.settings.tarball-ttl = 0;
  environment.systemPackages = with pkgs; [
    vim
    wget
    git
  ];

  # Open ports in the firewall.
  # networking.firewall.allowedTCPPorts = [ ... ];
  # networking.firewall.allowedUDPPorts = [ ... ];
  # Or disable the firewall altogether.
  networking.firewall.enable = false;

  # Testing config
  # Enable Vault secrets management
  vault.enable = true;

  # Define a test secret
  vault.secrets.test-service = {
    secretPath = "hosts/vaulttest01/test-service";
    restartTrigger = true;
    restartInterval = "daily";
    services = [ "vault-test" ];
  };

  # Create a test service that uses the secret
  systemd.services.vault-test = {
    description = "Test Vault secret fetching";
    wantedBy = [ "multi-user.target" ];
    after = [ "vault-secret-test-service.service" ];

    serviceConfig = {
      Type = "oneshot";
      RemainAfterExit = true;

      ExecStart = lib.getExe vault-test-script;

      StandardOutput = "journal+console";
    };
  };

  # Test ACME certificate issuance from OpenBao PKI
  # Override the global ACME server (from system/acme.nix) to use OpenBao instead of step-ca
  security.acme.defaults.server = lib.mkForce "https://vault01.home.2rjus.net:8200/v1/pki_int/acme/directory";

  # Request a certificate for this host
  # Using HTTP-01 challenge with standalone listener on port 80
  security.acme.certs."vaulttest01.home.2rjus.net" = {
    listenHTTP = ":80";
    enableDebugLogs = true;
  };

  system.stateVersion = "25.11"; # Did you read the comment?
}