{ config, lib, pkgs, keys, ... }:

{
  # Basic Host Info
  networking.hostName = "uConsole";
  time.timeZone = "America/Montreal";
  i18n.defaultLocale = "en_CA.UTF-8";
  system.stateVersion = "25.11";

  # ============================================================
  # SSH Access — ta clé + clé de déploiement
  # ============================================================
  services.openssh = {
    enable = true;
    settings.PermitRootLogin = lib.mkForce "prohibit-password";
    settings.PasswordAuthentication = lib.mkForce false;
  };

  users.users.root = {
    openssh.authorizedKeys.keys = [
      keys.users.gortium.main
      keys.users.ai-worker.main
    ];
  };

  # ============================================================
  # Networking — WiFi via NetworkManager
  # ============================================================
  networking.networkmanager.enable = true;

  # ============================================================
  # WiFi credentials from agenix (SSID + password encrypted)
  # Reused across hosts — all connect to the same home WiFi
  # ============================================================
  age.secrets.home_wifi = {
    file = ../../secrets/home_wifi.age;
    owner = "root";
    group = "root";
    mode = "0400";
  };

  # Write WiFi connection at activation (reads decrypted age secret)
  systemd.services.ensure-wifi = {
    description = "Configure WiFi from age secret";
    after = [ "network.target" "age-home_wifi.service" ];
    wants = [ "age-home_wifi.service" ];
    before = [ "NetworkManager-wait-online.service" ];
    wantedBy = [ "multi-user.target" ];
    serviceConfig = {
      Type = "oneshot";
      RemainAfterExit = true;
      ExecStart = let
        wifi-setup = pkgs.writeShellScript "wifi-setup" ''
          SSID="$(head -1 /run/secrets/home_wifi)"
          PASS="$(tail -1 /run/secrets/home_wifi)"
          if ! nmcli -t connection show "$SSID" >/dev/null 2>&1; then
            nmcli device wifi connect "$SSID" password "$PASS"
          fi
        '';
      in "${wifi-setup}";
    };
  };

  # ============================================================
  # Kernel parameters from nixos-uconsole CM5 module
  # ============================================================
  boot.kernelParams = [
    "8250.nr_uarts=1"
    "console=tty1"
  ];

  # ============================================================
  # Console font for 5" 720x1280 display
  # ============================================================
  console = {
    earlySetup = true;
    font = "ter-v24n";
    packages = with pkgs; [ terminus_font ];
  };

  # ============================================================
  # Display — vc4/panel_cwu50 loaded AFTER RP1 PCIe init
  # Rien dans initrd — tout RP1 est derrière PCIe
  # ============================================================
  hardware.graphics.enable = true;

  boot.kernelModules = [
    "panel_cwu50"     # uConsole DSI panel driver
    "vc4"             # VideoCore 4 KMS GPU driver
    "rp1_dsi"         # RP1 DSI bridge driver
  ];

  boot.initrd.kernelModules = lib.mkForce [ ];

  # ============================================================
  # CM5 Config.txt — override complet (clear les defaults de nixos-uconsole)
  # ============================================================
  hardware.raspberry-pi.config = { };

  hardware.raspberry-pi.extra-config = ''
    [all]
    arm_64bit=1
    enable_uart=1
    disable_audio_dither=1
    ignore_lcd=0
    dtdebug=1
    gpio=10=ip,np
    gpio=11=op,dh
    dtoverlay=audremap
    dtparam=ant2=on
    dtparam=audio=on
    dtparam=pin_12_13=on

    [pi5]
    dtoverlay=clockworkpi-uconsole-cm5
    dtoverlay=vc4-kms-v3d-pi5,cma-384
    dtparam=pciex1=off
    dtparam=nohdmi1=off
  '';

  # ============================================================
  # CM5 Display Backlight Fix
  # ============================================================
  systemd.services.cm5-backlight-fix = {
    description = "CM5 Display Backlight Fix";
    after = [ "multi-user.target" ];
    wantedBy = [ "multi-user.target" ];
    serviceConfig = {
      Type = "oneshot";
      ExecStart = let
        fixScript = pkgs.writeShellScript "backlight-fix" ''
          for bl in /sys/class/backlight/*/brightness; do
            if [ -f "$bl" ]; then
              max=$(cat "$(dirname "$bl")/max_brightness" 2>/dev/null || echo 100)
              echo "$max" > "$bl" 2>/dev/null || true
            fi
          done
        '';
      in "${fixScript}";
    };
  };

  # ============================================================
  # Minimal packages
  # ============================================================
  environment.systemPackages = with pkgs; [
    git
    vim
    htop
    libgpiod      # GPIO control
  ];
}