{ config, lib, pkgs, ... }:
{
  # VM Hardware Configuration
  boot.loader.grub = {
    enable = true;
    device = "/dev/sda";
    useOSProber = false;
  };

  # Filesystem — will be generated by nixos-generate-config, but override
  fileSystems."/" = lib.mkDefault {
    device = "/dev/disk/by-label/nixos";
    fsType = "ext4";
  };
  fileSystems."/boot" = lib.mkDefault {
    device = "/dev/disk/by-label/boot";
    fsType = "vfat";
  };

  # Network
  networking = {
    hostName = "nixos-dev";
    networkmanager.enable = true;
    useDHCP = true;
    firewall = {
      enable = true;
      allowedTCPPorts = [ 22 8000 8080 3000 ];
    };
  };

  # QEMU Guest Agent (for Proxmox integration)
  services.qemuGuest.enable = true;

  # SSH
  services.openssh = {
    enable = true;
    settings = {
      PermitRootLogin = "no";
      PasswordAuthentication = true;  # change to no after keys deployed
    };
  };

  # User configuration
  users.users.konrad = {
    isNormalUser = true;
    extraGroups = [ "wheel" "docker" "networkmanager" ];
    shell = pkgs.zsh;
    # Temporary password — change after first login
    initialPassword = "changeme";
  };

  # System-wide programs
  programs = {
    zsh.enable = true;
    git.enable = true;
  };

  # System packages (minimal core)
  environment.systemPackages = with pkgs; [
    curl
    git
    vim
    htop
  ];

  # Docker
  virtualisation.docker = {
    enable = true;
    enableOnBoot = true;
  };

  # Nix configuration
  nix = {
    settings = {
      experimental-features = [ "nix-command" "flakes" ];
      auto-optimise-store = true;
    };
    gc = {
      automatic = true;
      dates = "weekly";
      options = "--delete-older-than 7d";
    };
  };

  # Allow unfree packages
  nixpkgs.config.allowUnfree = true;

  # Auto-upgrades
  system = {
    stateVersion = "24.11";
    autoUpgrade = {
      enable = true;
      allowReboot = false;
    };
  };

  # Enable flakes in this boot configuration
  boot.kernelPackages = pkgs.linuxPackages_latest;
}