{ config, lib, pkgs, ... }:
{
  # ─── Boot ──────────────────────────────────────────────────────────────────
  boot.loader.grub = {
    enable = true;
    device = "/dev/sda";   # BIOS/MBR install on scsi0
    useOSProber = false;
  };

  boot.kernelPackages = pkgs.linuxPackages_latest;

  # ─── Filesystems ───────────────────────────────────────────────────────────
  fileSystems."/" = {
    device = "/dev/disk/by-label/nixos";
    fsType = "ext4";
  };

  swapDevices = [{ device = "/dev/disk/by-label/swap"; }];

  # ─── Hardware ──────────────────────────────────────────────────────────────
  services.qemuGuest.enable = true;

  # ─── Network ───────────────────────────────────────────────────────────────
  networking = {
    hostName = "nixos-dev";
    networkmanager.enable = true;
    useDHCP = lib.mkDefault true;
    firewall = {
      enable = true;
      allowedTCPPorts = [ 22 3000 8000 8080 ];
    };
  };

  # ─── SSH ───────────────────────────────────────────────────────────────────
  services.openssh = {
    enable = true;
    settings = {
      PermitRootLogin = "no";
      PasswordAuthentication = false;
    };
  };

  # ─── Users ─────────────────────────────────────────────────────────────────
  users.users.konrad = {
    isNormalUser = true;
    extraGroups = [ "wheel" "docker" "networkmanager" ];
    shell = pkgs.zsh;
    openssh.authorizedKeys.keys = [
      # crablo (OpenClaw agent)
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJLK3oQWZNq7vanyv6E6DM4QTN03sKhp149Ob44YTiS4 crablo@proxmox"
    ];
  };

  security.sudo.wheelNeedsPassword = false;

  # ─── Programs ──────────────────────────────────────────────────────────────
  programs = {
    zsh.enable = true;
    git.enable = true;
  };

  environment.systemPackages = with pkgs; [
    curl
    wget
    git
    vim
    neovim
    htop
    btop
    ripgrep
    fd
    jq
    tree
    unzip
    tmux
  ];

  # ─── Docker ────────────────────────────────────────────────────────────────
  virtualisation.docker = {
    enable = true;
    enableOnBoot = true;
  };

  # ─── Nix ───────────────────────────────────────────────────────────────────
  nix.settings = {
    experimental-features = [ "nix-command" "flakes" ];
    auto-optimise-store = true;
    trusted-users = [ "root" "konrad" ];
  };

  nix.gc = {
    automatic = true;
    dates = "weekly";
    options = "--delete-older-than 7d";
  };

  nixpkgs.config.allowUnfree = true;

  system.stateVersion = "24.11";
}