# This is your system's configuration file.
# Use this to configure your system environment (it replaces /etc/nixos/configuration.nix)
{
  inputs,
  outputs,
  lib,
  config,
  pkgs,
  modulesPath,
  ...
}: {
  # Import modules including LXC container support
  imports = [
    # Include the default lxd configuration.
    "${modulesPath}/virtualisation/lxc-container.nix"
    
    # Import your generated (nixos-generate-config) hardware configuration
    ./hardware-configuration.nix
    
    # Import our custom modules
    outputs.nixosModules.important-defaults
    outputs.nixosModules.incus
    outputs.nixosModules.orbstack
    # outputs.nixosModules.power-user-defaults
  ];

  nixpkgs = {
    # You can add overlays here
    overlays = [
      # Add overlays your own flake exports (from overlays and pkgs dir):
      outputs.overlays.additions
      outputs.overlays.modifications
      outputs.overlays.unstable-packages

      # You can also add overlays exported from other flakes:
      # neovim-nightly-overlay.overlays.default

      # Or define it inline, for example:
      # (final: prev: {
      #   hi = final.hello.overrideAttrs (oldAttrs: {
      #     patches = [ ./change-hello-to-hi.patch ];
      #   });
      # })
    ];
    # Configure your nixpkgs instance
    config = {
      # Disable if you don't want unfree packages
      allowUnfree = true;
    };
  };

  nix = let
    flakeInputs = lib.filterAttrs (_: lib.isType "flake") inputs;
  in {
    settings = {
      # Enable flakes and new 'nix' command
      experimental-features = "nix-command flakes";
      # Opinionated: disable global registry
      flake-registry = "";
      # Workaround for https://github.com/NixOS/nix/issues/9574
      nix-path = config.nix.nixPath;
    };
    # Opinionated: disable channels
    channel.enable = false;

    # Opinionated: make flake registry and nix path match flake inputs
    registry = lib.mapAttrs (_: flake: {inherit flake;}) flakeInputs;
    nixPath = lib.mapAttrsToList (n: _: "${n}=flake:${n}") flakeInputs;
  };

  # User configuration
  users.users.wongdingfeng = {
    uid = 502;
    extraGroups = [ "wheel" "orbstack" ];

    # simulate isNormalUser, but with an arbitrary UID
    isSystemUser = true;
    group = "users";
    createHome = true;
    home = "/home/wongdingfeng";
    homeMode = "700";
    useDefaultShell = true;

    # SSH keys
    openssh.authorizedKeys.keys = [
      # Add your SSH public keys here
      # "ssh-rsa AAAAB3NzaC1yc2EAAAA... your-email@example.com"
      # "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAA... your-email@example.com"
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICA/3qb5Eg8NSFMHXZqFlWI9TxHZHQtFAjvcDfiTUtbv wongdingfeng@Wong-Ding-Fengs-MacBook-Pro.local-2024-01-23"
    ];
  };

  security.sudo.wheelNeedsPassword = false;

  # This being `true` leads to a few nasty bugs, change at your own risk!
  users.mutableUsers = false;

  time.timeZone = "Asia/Singapore";

  # SSH Server configuration
  services.openssh = {
    enable = true;
    settings = {
      # Better security defaults
      PasswordAuthentication = true;
      PermitRootLogin = "yes";
      
      # Enable X11 forwarding
      X11Forwarding = true;
      X11DisplayOffset = 10;
      X11UseLocalhost = true;
      
      # Additional security settings
      Protocol = 2;
      MaxAuthTries = 3;
      ClientAliveInterval = 300;
      ClientAliveCountMax = 2;
      
      # Allow only specific users (optional - uncomment if needed)
      # AllowUsers = [ "wongdingfeng" ];
    };
    
    # Optional: Custom port (uncomment if you want to change from default 22)
    ports = [ 2222 ];
  };

  # System packages are now handled in power-user-defaults.nix
  environment.systemPackages = with pkgs; [
    neovim
    gitAndTools.gitFull
    tmux
    htop
    neofetch
    ripgrep
    fd
    ranger
  ];
}