{ config, pkgs, ... }:
{
  imports = [
    ./hardware-configuration.nix
  ];

  boot.loader.grub.enable = true;
  boot.loader.grub.device = "/dev/vda";
  boot.loader.grub.useOSProber = true;

  services.xserver.videoDrivers = [ "modesetting" ];

  hardware.graphics = {
    enable = true;
    extraPackages = with pkgs; [
      # Required for modern Intel GPUs (Xe iGPU and ARC)
      intel-media-driver # VA-API (iHD) userspace
      vpl-gpu-rt # oneVPL (QSV) runtime

      # Optional (compute / tooling):
      intel-compute-runtime # OpenCL (NEO) + Level Zero for Arc/Xe
      # NOTE: 'intel-ocl' also exists as a legacy package; not recommended for Arc/Xe.
      # libvdpau-va-gl       # Only if you must run VDPAU-only apps
    ];
  };

  hardware.enableRedistributableFirmware = true;
  boot.kernelParams = [ "i915.enable_guc=3" ];

  environment.sessionVariables = {
    LIBVA_DRIVER_NAME = "iHD";
    QT_QPA_PLATFORM = "wayland";
    WLR_NO_HARDWARE_CURSORS = "1";
  };

  networking.hostName = "nixos-lnf";
  networking.wireless.enable = true;
  networking.networkmanager.enable = true;
  networking.firewall.enable = false;

  time.timeZone = "Europe/Vienna";

  i18n.defaultLocale = "en_US.UTF-8";
  i18n.extraLocaleSettings = {
    LC_ADDRESS = "de_AT.UTF-8";
    LC_IDENTIFICATION = "de_AT.UTF-8";
    LC_MEASUREMENT = "de_AT.UTF-8";
    LC_MONETARY = "de_AT.UTF-8";
    LC_NAME = "de_AT.UTF-8";
    LC_NUMERIC = "de_AT.UTF-8";
    LC_PAPER = "de_AT.UTF-8";
    LC_TELEPHONE = "de_AT.UTF-8";
    LC_TIME = "de_AT.UTF-8";
  };

  services.xserver.xkb = {
    layout = "de";
    variant = "";
  };
  console.keyMap = "de";

  users.users.user = {
    isNormalUser = true;
    description = "user";
    extraGroups = [
      "networkmanager"
      "wheel"
      "video"
    ];
    packages = with pkgs; [ ];
    openssh.authorizedKeys.keys = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINGHadFhDCUU/ta3p1FQgpm7NExHkyHNrJbNJP6np5w9 kempinger@ins.jku.at"
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMTpZThOE2EeDZ1rS7ynLS3mGtoSIQ9WazZDBUdP9THi tth@tth-worker"
      # Michael Roland
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC7CHRy95muwEYKpQOL5T02vQEwSgJL8Z/q2YPXiV17+ ED25519/mroland@INSMR02NB/20250209"
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILf0Wca6U/ee6NN7uxPMVSeHoNpLBM3K0pDA9Cmdblqc ED25519-KEY/mroland@MRPHONE2022/20220511"
      
      # René Mayrhofer
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH/IX6NdpL3qW8gnfnDcXw906N7PCLuGHgCHdsMlR6Lh"
      
      # Franz Bauer
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGLNosW/ZcQErMFuNA8pzKNKnaISvVj4Um7Y4D7151t7 FJB_ed25519_4INS-Server"
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ0h7HWbl3CpX8TCQmG/CjQVVTGpzegQJupGgykB5shJ eddsa-key-20250826"
    ];
  };
  users.users.root = {
    openssh.authorizedKeys.keys = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINGHadFhDCUU/ta3p1FQgpm7NExHkyHNrJbNJP6np5w9 kempinger@ins.jku.at"
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMTpZThOE2EeDZ1rS7ynLS3mGtoSIQ9WazZDBUdP9THi tth@tth-worker"
      # Michael Roland
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC7CHRy95muwEYKpQOL5T02vQEwSgJL8Z/q2YPXiV17+ ED25519/mroland@INSMR02NB/20250209"
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILf0Wca6U/ee6NN7uxPMVSeHoNpLBM3K0pDA9Cmdblqc ED25519-KEY/mroland@MRPHONE2022/20220511"
      
      # René Mayrhofer
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH/IX6NdpL3qW8gnfnDcXw906N7PCLuGHgCHdsMlR6Lh"
      
      # Franz Bauer
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGLNosW/ZcQErMFuNA8pzKNKnaISvVj4Um7Y4D7151t7 FJB_ed25519_4INS-Server"
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ0h7HWbl3CpX8TCQmG/CjQVVTGpzegQJupGgykB5shJ eddsa-key-20250826"
    ];
  };

  security.sudo.extraRules = [
    {
      users = [ "user" ];
      commands = [
        {
          command = "/run/current-system/sw/bin/systemctl restart cage-tty1.service";
          options = [ "NOPASSWD" ];
        }
      ];
    }
  ];

  nixpkgs.config.allowUnfree = true;

  environment.systemPackages = with pkgs; [
    git
    nil
    nixd
    wlr-randr
    kmsxx
    libinput
    swayimg
    vlc
    ffmpeg-full
    (pkgs.python3.withPackages (python-pkgs: with python-pkgs; [
          requests
    ]))
    jq
    bash

    (pkgs.writeScriptBin "kiosk-run" ''
      #!/usr/bin/env bash
      set -euo pipefail

      if [[ $# -lt 1 ]]; then
        echo "Usage: kiosk-run <command...>" >&2
        exit 1
      fi

      echo "Setting command: $*"
      echo "$*" > /etc/cage/current-cmd

      echo "Restarting cage..."
      sudo systemctl kill cage-tty1.service
      sudo systemctl start cage-tty1.service

      echo "Done."
    '')
  ];

  programs.firefox.enable = true;

  # writable by the kiosk user at runtime
  environment.etc."cage/current-cmd" = {
    mode = "0777";
    text = "curl -sL https://www.ins.jku.at/images/logos/logo-jku-ins-360x118.png | swayimg -f -";
  };

  systemd.services.cage-tty1 = {
    serviceConfig = {
      Restart = "always";
      RestartSec = "1s";
      TimeoutStopSec = "1";
      TimeoutAbortSec = "5";
      KillSignal = "SIGKILL";
    };
  };

  services.cage = {
    enable = true;
    user = "user";
    program = "${pkgs.bash}/bin/bash /etc/cage/current-cmd";
  };

  services.getty.loginProgram = "${pkgs.coreutils}/bin/true";

  services.openssh = {
    enable = true;
    settings = {
      PasswordAuthentication = false;
      KbdInteractiveAuthentication = false;
      PermitRootLogin = "prohibit-password";
    };
  };

  nix.settings.experimental-features = [
    "nix-command"
    "flakes"
  ];
  system.stateVersion = "25.11";
}