{ inputs, pkgs, lib, config, ... }:

{
  imports = lib.flatten [
    #
    # ========= Hardware =========
    #
    ./hardware-configuration.nix
    inputs.nixos-hardware.nixosModules.common-cpu-amd
    inputs.nixos-hardware.nixosModules.common-gpu-amd
    inputs.nixos-hardware.nixosModules.common-pc-ssd
    inputs.nixos-hardware.nixosModules.framework-13-7040-amd

    #
    # ======== Secure Boot =========
    #
    inputs.lanzaboote.nixosModules.lanzaboote

    #
    # ========= Disk Layout =========
    #
    inputs.disko.nixosModules.disko
    (lib.custom.relativeToRoot "hosts/common/disks/rihla.nix")
    {
      _module.args = {
        device = "/dev/nvme0n1";
        withSwap = true;
        swapSize = "4";
        label = "nixos";
      };
    }

    #
    # ========= Required Configs =========
    #
    (map lib.custom.relativeToRoot [ "hosts/common/core" ])

    #
    # ========= Optional Configs =========
    #
    (map (c: lib.custom.relativeToRoot "hosts/common/optional/${c}.nix") [
      "1password"
      "claude-code"
      "dconf"
      "docker"
      "hoppscotch"
      "hyprland"
      "nix-ld"
      "secure-boot"
      "yubikey"
    ])

    #
    # ========= Optional Services =========
    #
    (map
      (s: lib.custom.relativeToRoot "hosts/common/optional/services/${s}.nix") [
        "audio"
        "bluetooth"
        "firmware"
        "greetd"
        "openssh"
        "printing"
        "smart-card"
      ])

    #
    # ========= Specialisations ========
    #
    (map
      (s: lib.custom.relativeToRoot "hosts/common/specialisations/${s}.nix") [
        "gaming"
      ])
  ];

  #
  # ========= Host specification =========
  #
  hostSpec = {
    hostName = "rihla";
    useYubikey = lib.mkForce true;
    secureBoot = false;
    persist = "/persist";
    impermanance = false;
  };

  networking = {
    networkmanager.enable = true;
    enableIPv6 = false;
  };

  boot = {
    loader = {
      # Set this to true on first install. This must be false for secure boot.
      systemd-boot.enable = lib.mkForce (!config.hostSpec.secureBoot);
      efi.canTouchEfiVariables = true;
    };

    initrd.postResumeCommands = lib.mkIf config.hostSpec.impermanance
      (lib.mkAfter ''
        mkdir /btrfs_tmp
        mount /dev/crypt_vg/root /btrfs_tmp
        if [[ -e /btrfs_tmp/root ]]; then
            mkdir -p /btrfs_tmp/old_roots
            timestamp=$(date --date="@$(stat -c %Y /btrfs_tmp/root)" "+%Y-%m-%-d_%H:%M:%S")
            mv /btrfs_tmp/root "/btrfs_tmp/old_roots/$timestamp"
        fi

        delete_subvolume_recursively() {
            IFS=$'\n'
            for i in $(btrfs subvolume list -o "$1" | cut -f 9- -d ' '); do
                delete_subvolume_recursively "/btrfs_tmp/$i"
            done
            btrfs subvolume delete "$1"
        }

        for i in $(find /btrfs_tmp/old_roots/ -maxdepth 1 -mtime +30); do
            delete_subvolume_recursively "$i"
        done

        btrfs subvolume create /btrfs_tmp/root
        umount /btrfs_tmp
      '');

    lanzaboote = {
      enable = config.hostSpec.secureBoot;
      pkiBundle = "/var/lib/sbctl";
    };
  };

  security.rtkit.enable = true;

  environment.systemPackages = with pkgs; [ pciutils bc ];

  system.stateVersion = "25.05";
}