{
  lib,
  pkgs,
  namespace,
  ...
}:
let
  # SSH public keys sourced from sops secrets (ssh-keys-public section).
  # Baked in here since sops is not available on a live install ISO
  # (no persistent host key to decrypt with).
  sopsPublicKeys = [
    # macbook-macos
    "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCw9zq8DLGByI5v2gAn95hKNyOsm3g61a2buxu2BBMFysQJgmZPCCLUqRJKhSM5Vm/JOgsAmdpRBRZQoHD+6S844CJHb4v4VIbjkyQgYCuM7Rst2IOZ5QybvsA2/D0nwytZ+HXQqDj2AagUYDbz0gyyIHkDQ5YGBMkvkWz/h1Vci6aoBM7VihEDM4KlWoTVuPeASGM8r5IZ2FS83Djbqo4ov6AYvLMrKB9Z7hmFgH6R3LE0gxOkzbGVXtSuvJyrjvgytoT22UhATjjxSQ9D+YJXXkQoB3lUdg8OoIquUPjMZpl4mR8ffvseWPfcvD1XlD5t+TOHFqKpESO547tlOBYhdpew+NSgAXpamCU6oyV8tDCywLQu2ucxHRn78u6WXzWHkDtffdhzmk6TZaPhWqVHuTGjR4higBgGqUfSaKOMszt+FDRZAr3HtuQ2+zJ8bowK9fW5OqilTtK2HtQqroD9ApegDNbqOz6kGy5IycSXvqPURy/M4lxZxbtBPuemcJs= mattjallen@MacBook-Pro.local"
    # desktop-windows
    "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDZ2PYPjZddOzR8OJj16G88KcUhCDLkvrEmpUQP0wKHDUuA27HQQ2ORo66asadwGHY3k1VDZ1ei9l9H++SIIeKOaaUr5yZdktvj4POUNtbd9ZhcS7sZU7BSF+NMDM+h3tImh6z0S7mWvRQOUv3ZM+ZER+5xTWJVG1OOJEpb1drxJk6Qz0wbZKSR7TPNFBLLXlVy7hkNYf07RtDyhCCxNB3hJfa8c+oztnWumwDhDQWLqiUXWIU2QH6iRLGl/WYnujtNvVVaV/Hn3JJkS6MM9dnV3cpoIO0+J7+WfsN9rZ0wXt5yY3GhiGXwmcO5eYVli8lHlLWtK7aYSETyry6CBsLbojzOQO5rSqhpwfF2njAAFAQU0UjLc8PahisIuFKCwHH4iyXXOagiv5K1Mc/0Ak+WhhMPee6vV2p7NTyNpXRvouDbWy5cSRH31WgQ9fK5mIGe5v8nGGqtEhUubUkiOgP+H3UbT2V/nTv/TFKdJcKw+WmizvTrxBmaMjWALlkYl+s= mattl@Jallen-PC"
    # desktop-nixos
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPTBMydhOc6SnOdB5WrEd7X07DrboAtagCUgXiOJjLov matt@matt-nixos"
    # macbook-pro-nixos
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBOhX3ds1QBC5qqqtPJDZgyGr8gfGjCGnGCiIhWZNNi4 matt@macbook-pro-nixos"
    # pi5
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJy7r49e2dqi1UFICKZwqSRGEvNPgVB2p2KZE5bCkFsh matt@pi5"
    # deck
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINF1pqrxyLTGHxsdtXP8lXiE2iHDTSMV9JVgN8GVRLKK deck@nixos"
  ];
in
{
  ${namespace} = {
    # ###################################################
    # #                     Boot                      # #
    # ###################################################

    bootloader.lanzaboote.enable = true;

    # ###################################################
    # #                   Hardware                    # #
    # ###################################################

    hardware.disko = {
      enable = true;
      filesystem = "btrfs";
    };

    # ###################################################
    # #                 Impermanence                  # #
    # ###################################################

    impermanence = {
      enable = true;
    };

    # ###################################################
    # #                    Network                    # #
    # ###################################################

    network = {
      hostName = "nixos";
      firewall = {
        enable = true;
        allowPing = true;
        # Allow SSH (required for nixos-anywhere)
        allowedTCPPorts = [ 22 ];
      };
    };

    # ###################################################
    # #                   Security                    # #
    # ###################################################

    security.tpm.enable = true;

    # ###################################################
    # #                   Services                    # #
    # ###################################################

    # ###################################################
    # #                     User                      # #
    # ###################################################

    user = {
      name = "nixos";
      linger = true;
      # Plain-text password for the live ISO session.
      # The user module assertion requires at least one password method.
      password = "nixos";
      # Include all sops SSH public keys so any of your machines can connect.
      # commonSshKeys from the user module are also enabled by default.
      sshKeys = sopsPublicKeys;
    };
  };

  specialisation.graphical.configuation = {
    # ###################################################
    # #                   Desktop                     # #
    # ###################################################
    ${namespace}.desktop.cosmic.enable = true;
  };

  # home-manager.users.nixos.snowfallorg.user.name = "nixos";

  # ###################################################
  # #                     Boot                      # #
  # ###################################################

  boot = {
    kernelPackages = lib.mkForce pkgs.${namespace}.linuxPackages_cachyos-server-lto;
    supportedFilesystems.zfs = false;
  };

  # ###################################################
  # #                     SSH                       # #
  # ###################################################
  # Explicit openssh settings for nixos-anywhere compatibility.
  # nixos-anywhere SSHes in as root to run the install, so root login must be
  # permitted. Password auth is disabled — key-only access only.
  services.openssh = {
    enable = lib.mkForce true;
    settings = {
      PermitRootLogin = lib.mkForce "yes";
      PasswordAuthentication = lib.mkForce false;
    };
  };

  # nixos-anywhere connects as root; ensure root also trusts all our keys.
  users.users.root.openssh.authorizedKeys.keys = sopsPublicKeys;

  # Sops is not usable on a live ISO (no persistent host key to decrypt with).
  # Disable sops validation to prevent build/boot failures.
  sops.defaultSopsFile = lib.mkForce "/dev/null";
  sops.validateSopsFiles = false;

}