{ config, lib, pkgs, paths, self, ... }:

{
  # Basic Host Info
  networking.hostName = "uConsole";
  time.timeZone = "America/Montreal";
  i18n.defaultLocale = "en_CA.UTF-8";

  # System State
  system.stateVersion = "25.05";

  # Boot & Hardware (uconsole-cm5 module handles boot.loader)
  boot.kernelPackages = pkgs.linuxPackages_latest;

  # Networking
  networking.networkmanager.enable = true;
  services.openssh = {
    enable = true;
    settings.PermitRootLogin = "prohibit-password";
    settings.PasswordAuthentication = false;
  };

  # User
  users.users.gortium = {
    isNormalUser = true;
    extraGroups = [ "wheel" "networkmanager" "video" "dialout" "kismet" ];
    openssh.authorizedKeys.keys = [
      keys.users.gortium.main
      keys.users.gortium.gitea
    ];
  };
  security.sudo.extraRules = [
    {
      users = [ "gortium" ];
      commands = [
        {
          command = "ALL";
          options = [ "NOPASSWD" ];
        }
      ];
    }
  ];

  # ============================================================
  # Package groups
  # ============================================================

  environment.systemPackages = with pkgs; [
    # ===== Base =====
    emacs-pgtk
    git
    ripgrep
    fd
    htop
    tmux
    neovim

    # ===== HAM Radio =====
    js8call
    wsjtx
    fldigi
    pat                        # Winlink client
    direwolf                   # AX.25 packet modem
    chirp                      # Radio programming tool
    hamlib                     # Ham radio control libraries
    trustedqsl                 # Logbook of the World (LoTW)

    # ===== SDR / RF =====
    sdrpp                      # SDR++ spectrum analyzer
    gqrx                       # SDR receiver GUI
    rtl-sdr                    # RTL-SDR drivers & utilities
    inspectrum                # Offline signal analysis
    soapysdr-with-plugins      # SoapySDR + hardware support plugins

    # ===== Mesh / LoRa =====
    meshtastic                 # Python CLI for Meshtastic devices
    reticulumStack             # Reticulum Network Stack (rnsd, rnsh, rncp, rnx, rnpath, etc.)
    lxmf                       # LXMF messaging protocol
    nomadnet                   # Nomad Network client

    # ===== Security =====
    nmap
    aircrack-ng
    kismet                     # Wi-Fi monitor / IDS
    bettercap                  # MITM/network attack framework
    wireshark                  # Packet analyzer
    hashcat                    # GPU password cracker
    john                       # John the Ripper
    sqlmap                     # SQL injection tool

    # ===== GPS / Maps =====
    foxtrotgps
    viking                     # GPS map editor
    gpsbabel                   # GPS data conversion
  ];

  # Packages noted but not in unstable nixpkgs:
  #   - metasploit: unfree; install manually via Git clone
  #   - burpsuite: unfree Java app (Community Edition available for download)
  #   - sidechannel: not a distinct PyPI package; functionality covered by
  #     the Reticulum stack. For LXMF GUI client, install Sideband manually
  #     from github.com/markqvist/Sideband

  # ============================================================
  # Reticulum Service (rnsd)
  # ============================================================
  systemd.services.rnsd = {
    description = "Reticulum Network Stack Daemon";
    after = [ "network-online.target" ];
    wantedBy = [ "multi-user.target" ];
    serviceConfig = {
      User = "gortium";
      Group = "gortium";
      ExecStart = "${pkgs.reticulumStack}/bin/rnsd";
      Restart = "always";
      RestartSec = "10s";
      LimitNOFILE = 65536;
    };
  };

  # ============================================================
  # Kismet Service (Wi-Fi monitoring / mesh node)
  # ============================================================
  systemd.services.kismet = {
    description = "Kismet Wi-Fi Monitor & IDS";
    after = [ "network-online.target" ];
    wantedBy = [ "multi-user.target" ];
    serviceConfig = {
      User = "gortium";
      Group = "kismet";
      ExecStart = "${pkgs.kismet}/bin/kismet -c wlan0 --log-base=/home/gortium/kismet_logs --no-nc-ui";
      Restart = "always";
      RestartSec = "10s";
    };
  };

  # ============================================================
  # Kernel modules for SDR and radio
  # ============================================================
  boot.kernelModules = [
    "88x2bu"          # Realtek 8812/8821BU USB WiFi (common adapter)
    "rtl8xxxu"        # RTL8188/8192/8723 USB WiFi
    "rtl2832_sdr"     # RTL-SDR kernel module
    "dvb_usb_rtl28xxu" # RTL-SDR DVB-T
  ];

  boot.blacklistedKernelModules = [ ];

  # ============================================================
  # Extra udev rules for SDR and HAM radio devices
  # ============================================================
  services.udev.packages = with pkgs; [ rtl-sdr ];

  # ============================================================
  # Enable IPv6 for Reticulum mesh
  # ============================================================
  networking.enableIPv6 = true;

  # ============================================================
  # Firewall: open ports for Reticulum (optional)
  # ============================================================
  networking.firewall.allowedTCPPorts = [ 22 ]; # SSH only
  networking.firewall.allowedUDPPorts = [ ];
  # Reticulum uses its own encryption and doesn't need open ports
  # for basic mesh operations (peer-to-peer discovery).
  # For TCP interfaces, open additional ports as needed.
}