{
  config,
  pkgs,
  lib,
  modulesPath,
  ...
}:
let
  domain = "garp.kyrus.dev";
  email = "antoni.romanski@protonmail.com";
  sshKeys = [
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMPqKKWflJRNTexs2VaMY3VgF7tPnR7MmxF4yQ6+U9VM hetzner"
  ];
in
{
  # ─── Boot ──────────────────────────────────────────────────────────
  imports = [
    (modulesPath + "/profiles/qemu-guest.nix")
  ];

  boot.loader.grub = {
    efiSupport = true;
    efiInstallAsRemovable = true;
  };

  # ─── Networking ────────────────────────────────────────────────────
  networking.hostName = "garp";
  networking.useDHCP = lib.mkDefault true;
  networking.firewall.allowedTCPPorts = [
    22
    80
    443
  ];

  time.timeZone = "UTC";

  nix = {
    settings.experimental-features = [
      "nix-command"
      "flakes"
    ];
    gc = {
      automatic = true;
      dates = "weekly";
      options = "--delete-older-than 14d";
    };
  };

  services.xserver.xkb = {
    layout = "de";
  };
  console.keyMap = "de";

  services.openssh = {
    enable = true;
    settings = {
      PermitRootLogin = "prohibit-password";
      PasswordAuthentication = false;
    };
  };
  users.users.root.openssh.authorizedKeys.keys = sshKeys;

  virtualisation.docker = {
    enable = true;
    autoPrune.enable = true;
  };

  # Native module (not Docker) — gets proper systemd units, log
  # integration, and works with services.forgejo.dump for backups.
  services.forgejo = {
    enable = true;
    database.type = "sqlite3";
    settings = {
      server = {
        DOMAIN = domain;
        ROOT_URL = "https://${domain}/";
        HTTP_ADDR = "127.0.0.1";
        HTTP_PORT = 3000;
      };
      service.DISABLE_REGISTRATION = true;
      session.COOKIE_SECURE = true;
      log.LEVEL = "Warn";
    };
  };

  services.caddy = {
    enable = true;
    email = email;
    virtualHosts.${domain}.extraConfig = ''
      reverse_proxy 127.0.0.1:3000
    '';
  };

  environment.systemPackages = with pkgs; [
    git
    neovim
    btop
    tmux
    curl
    config.services.forgejo.package
  ];

  # VM-only overrides (applied by `nixos-rebuild build-vm`)
  virtualisation.vmVariant = {
    virtualisation = {
      memorySize = 2048;
      cores = 2;
      forwardPorts = [
        {
          from = "host";
          host.port = 2222;
          guest.port = 22;
        }
        {
          from = "host";
          host.port = 3000;
          guest.port = 3000;
        }
        {
          from = "host";
          host.port = 8080;
          guest.port = 80;
        }
      ];
    };

    # Reach Forgejo from the host via the forwarded port
    services.forgejo.settings.server.HTTP_ADDR = lib.mkForce "0.0.0.0";

    # Caddy without TLS in the VM (no real DNS / ACME)
    services.caddy.virtualHosts = lib.mkForce {
      ":80".extraConfig = ''
        reverse_proxy 127.0.0.1:3000
      '';
    };

    # Easy SSH into the VM for poking around
    services.openssh.settings.PermitRootLogin = lib.mkForce "yes";
    services.openssh.settings.PasswordAuthentication = lib.mkForce true;
    users.users.root.password = lib.mkForce "test";
  };

  system.stateVersion = "25.11";
}