{ lib, pkgs, ... }:
let
  timezone = "America/Chicago";

  update-script = pkgs.writeScriptBin "update" ''
      #!/usr/bin/env bash
      set -euo pipefail

      # ===== Config =====
      REPO_DIR="/etc/nixos"
      HOST=$(hostname)
      FLAKE="$REPO_DIR#$HOST"
      PROFILE_DIR="/nix/var/nix/profiles/system-profiles"

      # ===== Parse arguments =====
      MODE=''${1:-"switch"}
      VALID_MODES=("boot" "switch" "test" "build")
      if [[ ! " ''${VALID_MODES[*]} " =~ " $MODE " ]]; then
        echo "❌ Invalid mode: '$MODE'. Use one of: $VALID_MODES[*]"
        exit 1
      fi

      # ===== Git status check =====
      cd "$REPO_DIR"
      DIRTY_TAG=
      if [[ -n "$(git status --porcelain)" ]]; then
        echo "⚠️ Git repo is dirty — rebuilding with dirty tag."
        DIRTY_TAG="dirty-"
      fi

      SHORT_HASH=$(git rev-parse --short HEAD)
      COMMIT_MSG=$(git log -1 --pretty=%s | tr ' ' '_' | tr -dc '[:alnum:]_-')
      TIMESTAMP=$(date -u +%Y%m%dT%H%M%SZ)
      PROFILE_NAME=$TIMESTAMP-$DIRTY_TAG$SHORT_HASH-$COMMIT_MSG
      echo "✅ Building profile: $PROFILE_NAME"

      # Use --profile-name only when MODE is 'switch' or 'boot'
      if [[ "$MODE" == "switch" || "$MODE" == "boot" ]]; then
        sudo nixos-rebuild "$MODE" --flake "$FLAKE" --profile-name "$PROFILE_NAME"
      else
        sudo nixos-rebuild "$MODE" --flake "$FLAKE"
      fi
  '';
in
{
  imports = [
    ../share
  ];

  # Enable nix flakes and nix-command tools
  nix = {
    settings = {
      substituters = [
        "https://nix-community.cachix.org"
        "https://cache.nixos.org/"
      ];
      trusted-public-keys = [
        "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
      ];
      warn-dirty = lib.mkForce false;
      experimental-features = lib.mkForce [
        "nix-command"
        "flakes"
      ];
      trusted-users = [ "@wheel" ];
    };

    # Garbage collect automatically every week
    gc.automatic = lib.mkDefault true;
    gc.options = lib.mkDefault "--delete-older-than 30d";

    optimise.automatic = lib.mkDefault true;
  };

  # Configure nixpkgs
  # Enable non free
  nixpkgs.config.allowUnfree = lib.mkForce true;

  # Hardware configs
  hardware = {
    # Bluetooth
    bluetooth.enable = lib.mkDefault true;

    # Enable all firmware
    enableAllFirmware = lib.mkForce true;
  };

  # Services configs
  services = {
    openssh.enable = lib.mkDefault true;

    # Enable firmware updates
    fwupd.enable = lib.mkForce true;

    fstrim.enable = lib.mkDefault true;

    pcscd.enable = lib.mkDefault true;

    # Enable CUPS to print documents.
    printing.enable = lib.mkDefault true;

    # configure pipewire
    pipewire = {
      enable = lib.mkDefault true;
      alsa.enable = lib.mkDefault true;
      alsa.support32Bit = lib.mkDefault true;
      pulse.enable = lib.mkDefault true;
    };

    # Enable Avahi for .local hostname resolution
    avahi = {
      enable = lib.mkDefault true;
      nssmdns4 = lib.mkDefault true;  # For modern systems, use nssmdns4 instead of nssmdns
      publish = {
        enable = lib.mkDefault true;
        addresses = lib.mkDefault true;
        domain = lib.mkDefault true;
        workstation = lib.mkDefault true;
      };
    };
  };

  # Time config
  time = {
    # Set your time zone.
    timeZone = timezone;
  };

  boot = {
    # Enable AppImage
    binfmt.registrations.appimage = {
      wrapInterpreterInShell = lib.mkDefault false;
      interpreter = "${pkgs.appimage-run}/bin/appimage-run";
      recognitionType = "magic";
      offset = 0;
      mask = "\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\xff\\xff\\xff";
      magicOrExtension = "\\x7fELF....AI\\x02";
    };
  };

  programs = {
    zsh.enable = lib.mkDefault true;
    gnupg.agent = {
      enable = lib.mkDefault true;
      enableSSHSupport = lib.mkDefault true;
    };
    command-not-found.enable = lib.mkForce false;
  };

  environment.systemPackages = with pkgs; [
    update-script
    nixd
    pinentry-curses
  ];

  # users.mutableUsers = lib.mkDefault false;

  # Security config
  security = {

    wrappers."mount.nfs" = {
      setuid = true;
      owner = "root";
      group = "root";
      source = "${pkgs.nfs-utils.out}/bin/mount.nfs";
    };

    rtkit.enable = lib.mkDefault true;

    # configure sudo
    sudo = {
      enable = lib.mkDefault true;
      extraRules = [
        {
          commands = [
            {
              command = "${pkgs.systemd}/bin/systemctl suspend";
              options = [ "NOPASSWD" ];
            }
            {
              command = "${pkgs.systemd}/bin/reboot";
              options = [ "NOPASSWD" ];
            }
            {
              command = "${pkgs.systemd}/bin/poweroff";
              options = [ "NOPASSWD" ];
            }
          ];
          groups = [ "wheel" ];
        }
      ];
    };
  };

  # This option defines the first version of NixOS you have installed on this particular machine,
  # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.
  #
  # Most users should NEVER change this value after the initial install, for any reason,
  # even if you've upgraded your system to a new NixOS release.
  #
  # This value does NOT affect the Nixpkgs version your packages and OS are pulled from,
  # so changing it will NOT upgrade your system.
  #
  # This value being lower than the current NixOS release does NOT mean your system is
  # out of date, out of support, or vulnerable.
  #
  # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration,
  # and migrated your data accordingly.
  #
  # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion .
  system.stateVersion = "23.11"; # Did you read the comment?
}