{
  config,
  pkgs,
  lib,
  ...
}:

let
  mkUserService = pkgs.writeShellScriptBin "mk-user-service" ''
        set -euo pipefail

        if [ "$#" -lt 2 ]; then
          echo "Usage: mk-user-service <name> <exec command...>" >&2
          exit 1
        fi

        name="$1"
        shift

        unitDir="''${XDG_CONFIG_HOME:-$HOME/.config}/systemd/user"
        unitFile="$unitDir/$name.service"

        mkdir -p "$unitDir"

        if [ -e "$unitFile" ]; then
          echo "Refusing to overwrite existing unit: $unitFile" >&2
          exit 2
        fi

        cat > "$unitFile" <<EOF
    [Unit]
    Description=$name

    [Service]
    Type=simple
    ExecStart=$*
    Restart=on-failure
    RestartSec=2

    [Install]
    WantedBy=default.target
    EOF

        echo "Created $unitFile"
        echo "Next steps:"
        echo "  systemctl --user daemon-reload"
        echo "  systemctl --user enable --now $name.service"
  '';
in
{
  imports = [
    ./modules/atproto-pds.nix
    ./modules/cloudflare.nix
    ./modules/tangled.nix
    ../../modules/force.nix
    ./modules/gitea.nix
    ./modules/vaultwarden.nix
    ./modules/zipline.nix
    ./slop/openclaw.nix
    ./slop/brave.nix
  ];

  # gcc. shit breaks. wtf
  environment.sessionVariables.LD_LIBRARY_PATH = "${pkgs.gcc15}/lib";

  services.vscode-server.enable = true;

  services.openssh.settings = lib.mkDefault {
    PubkeyAuthentication = "yes";
    TrustedUserCAKeys = "/etc/ssh/ca.pub";
    PermitRootLogin = lib.mkDefault "prohibit-password";
    KbdInteractiveAuthentication = lib.mkDefault false;
  };

  services.openssh = {
    enable = lib.mkForce true;
  };

  environment.systemPackages = with pkgs; [
    mosh
    fastfetch
    hyfetch
    bash
    jdk
    steam-run
    opencode
    bun
    nodejs
    node-gyp
    playwright
    chromium
    brave
    (pkgs.callPackage ./slop/rocksky-cli.nix { })
  ];

  users.users.ocbwoy3 = {
    initialPassword = "thisisapassword42069!"; # not the type passwords i use
    isNormalUser = true;
    extraGroups = [
      "wheel"
      "networkmanager"
      "docker"
    ];
    shell = pkgs.zsh;
  };

  users.users.kris = {
    initialPassword = "thisisapassword42069!";
    isNormalUser = true;
    extraGroups = [
      "wheel"
      "networkmanager"
      "docker"
    ];
    shell = pkgs.zsh;
    packages = [
      pkgs.mrpack-install
      mkUserService
    ];
  };

  system.activationScripts.enableKrisLinger.text = ''
    ${pkgs.systemd}/bin/loginctl enable-linger kris || true
  '';

  nixpkgs.overlays = [
    (final: prev: {
      nixos-rebuild = prev.writeShellScriptBin "nixos-rebuild" ''
                set -euo pipefail

                action="''${1:-}"
                case "$action" in
                  switch|boot|test|build|dry-activate)
                    needs_flake=1
                    ;;
                  *)
                    needs_flake=0
                    ;;
                esac

                has_flake=0
                for arg in "$@"; do
                  case "$arg" in
                    --flake|--flake=*)
                      has_flake=1
                      break
                      ;;
                  esac
                done

                if [ "$needs_flake" -eq 1 ] && [ "$has_flake" -eq 0 ]; then
                  cat >&2 <<'EOF'

        🚨🚨🚨 WARNING: DANGEROUS SYSTEM REBUILD 🚨🚨🚨
        This host is FLAKE-MANAGED. Do not attempt to rebuild the system from /etc/nixos.

        Please ensure you are running THIS EXACT COMMAND inside /home/ocbwoy3/config:

           sudo nixos-rebuild switch --flake /home/ocbwoy3/config#server --impure --cores 4 -L --upgrade

        Aborting unsafe nixos-rebuild invocation.
        EOF
                  exit 64
                fi

                exec ${prev.nixos-rebuild}/bin/nixos-rebuild "$@"
      '';
    })
  ];

  virtualisation.docker = {
    enable = true;
    daemon.settings = {
      "log-driver" = "local";
      "log-opts" = {
        "max-size" = "10m";
        "max-file" = "3";
      };
      "live-restore" = true;
    };
  };

  systemd.services.docker.serviceConfig = {
    CPUQuota = "200%";
    MemoryMax = "12G";
  };

  services.mongodb = {
    enable = true;
    enableAuth = false;
    package = pkgs.mongodb-ce;
    replSetName = "rs0"; # dangerous
    bind_ip = "0.0.0.0";
  };

  networking.firewall = {
    enable = true;
    allowedTCPPorts = [
      22
      443
      3000
      3001
      4067
      8080
      25565
    ];
    allowedUDPPorts = [
      22
      443
      3000
      3001
      4067
      8080
      25565
    ];
  };

  networking.hostName = "kris-server";

  # Lock /etc/nixos to read-only mode (config lives in /home/ocbwoy3/config).
  systemd.tmpfiles.rules = [
    "z /etc/nixos 0555 root root - -"
  ];

  # Force resolver config to Cloudflare only.
  networking.nameservers = lib.mkForce [
    "1.1.1.1"
    "1.0.0.1"
  ];
  environment.etc."resolv.conf".text = lib.mkForce ''
    nameserver 1.1.1.1
    nameserver 1.0.0.1
  '';

  catppuccin = {
    enable = true;
    flavor = "mocha";
    accent = "blue";
    gitea.enable = false;
  };

  system.stateVersion = "23.05"; # DO NOT TOUCH

}