{ config, lib, pkgs, keys, ... }:

{
  networking.hostName = "uConsole";
  time.timeZone = "America/Montreal";
  i18n.defaultLocale = "en_CA.UTF-8";
  system.stateVersion = "25.11";

  # SSH — root access avec clés gortium + ai-worker
  services.openssh = {
    enable = true;
    settings = {
      PermitRootLogin = lib.mkForce "prohibit-password";
      PasswordAuthentication = lib.mkForce false;
    };
  };

  users.users.root.openssh.authorizedKeys.keys = with keys; [
    users.gortium.main
    users.ai-worker.main
  ];

  # AI worker user (Hermes SSH access)
  users.users.ai-worker = {
    isNormalUser = false;
    shell = pkgs.bash;
    openssh.authorizedKeys.keys = with keys; [
      users.ai-worker.main
    ];
  };

  # Age secret for gortium password (file created by user)
  age.secrets.gortium_password = {
    file = ../secrets/gortium_password.age;
  };

  # Password file for gortium (merges with users/gortium/default.nix)
  users.users.gortium.hashedPasswordFile = config.age.secrets.gortium_password.path;

  # WiFi via NetworkManager + secret agenix
  networking.networkmanager.enable = true;

  # Firmware
  hardware.enableRedistributableFirmware = true;

  # Hyprland Wayland compositor (manual start — no SDDM)
  programs.hyprland = {
    enable = true;
    xwayland.enable = true;
  };
}