{ config, lib, pkgs, keys, ... }:

{
  networking.hostName = "uConsole";
  time.timeZone = "America/Montreal";
  i18n.defaultLocale = "en_CA.UTF-8";
  system.stateVersion = "25.11";

  # SSH — root access avec clés gortium + ai-worker
  services.openssh = {
    enable = true;
    settings = {
      PermitRootLogin = lib.mkForce "prohibit-password";
      PasswordAuthentication = lib.mkForce false;
    };
  };

  users.users.root.openssh.authorizedKeys.keys = with keys; [
    users.gortium.main
    users.ai-worker.main
  ];

  # AI worker user (Hermes SSH access)
  users.users.ai-worker = {
    isNormalUser = false;
    shell = pkgs.bash;
    openssh.authorizedKeys.keys = with keys; [
      users.ai-worker.main
    ];
  };

  # Age secret for gortium password (file created by user)
  age.secrets.gortium_password = {
    file = ../secrets/gortium_password.age;
  };

  # WiFi via NetworkManager + secret agenix
  networking.networkmanager.enable = true;

  # Firmware
  hardware.enableRedistributableFirmware = true;

  # Hyprland Wayland compositor (manual start — no SDDM)
  programs.hyprland = {
    enable = true;
    xwayland.enable = true;
  };

  # HackerGadgets AIO v2 board
  hardware.uconsole-cm5-aio-v2 = {
    enable = true;

    # Rails actifs au boot
    bootRails = {
      GPS  = false;  # activé à la demande via aiov2_ctl GPS on
      LORA = false;  # activé à la demande via aiov2_ctl LORA on
      SDR  = false;  # activé à la demande via aiov2_ctl SDR on
      USB  = false;  # activé à la demande via aiov2_ctl USB on
    };

    enableGPS = false; # activer quand antenne GPS branchée
  };

  # DSI display fix: le kernel patch est dans flake.nix (patches/0008-panel-cwu50-fix-init-seq1.patch)
}