{ config, pkgs, modulesPath, ... }:

{
  imports = [
    (modulesPath + "/profiles/qemu-guest.nix")
    ./modules/caddy.nix
    ./modules/forgejo.nix
    ./modules/mail.nix
    ./modules/searx.nix
    ./modules/matrix.nix
    ./modules/monitoring.nix
    ./secrets/secrets-scheme.nix
    # Impure Secrets
    ./secrets/secrets.nix
  ];

  # ... (rest of imports block replaced by ./secrets/secrets.nix being added to imports)


  # Bootloader
  boot.loader.grub.enable = true;
  boot.loader.grub.efiSupport = true;
  boot.loader.grub.efiInstallAsRemovable = true;

  # Networking
  networking.hostName = "extremist-software";
  networking.firewall.allowedTCPPorts = [ 22 80 443 ]; # SSH, HTTP, HTTPS

  # Tailscale
  services.tailscale.enable = true;
  # We assume the user will authenticate manually or via a one-time key service
  # For now, let's enable it and allow the user to run `tailscale up` or provision via key
  
  # Users
  users.users.root.openssh.authorizedKeys.keys = [
    config.mySecrets.sshPublicKey
  ];

  # SSH - Secure it
  services.openssh = {
    enable = true;
    settings.PasswordAuthentication = false;
    settings.PermitRootLogin = "prohibit-password";
  };

  # System
  system.stateVersion = "24.05";
  nix.settings.experimental-features = [ "nix-command" "flakes" ];
  nixpkgs.config.allowUnfree = true; # Allow unfree packages (Minecraft, etc.)

  # Time
  time.timeZone = "UTC";

  # ZRAM for limited RAM
  zramSwap.enable = true;
  zramSwap.memoryPercent = 50; 

  # Secrets handled via ./secrets.nix importing to config.mySecrets
  environment.etc."secrets/tailscale-auth".text = config.mySecrets.tailscaleKey;
  services.tailscale.authKeyFile = "/etc/secrets/tailscale-auth";
  
  # Allow Tailscale traffic
  networking.firewall.trustedInterfaces = [ "tailscale0" ];
  # Required for Tailscale subnet routing and exit nodes, and often helpful for connectivity
  networking.firewall.checkReversePath = "loose";
}