{ config, pkgs, ... }:
let
  gitRepoUrl = "https://git.skarockoi.de/ska/nixos-production.git";
  gitLocalPath = "/var/lib/nixos-config";
in
{
  imports = [ ./hardware-configuration.nix ];
  
  # Critical boot settings
  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;
  
  # Keep QEMU profile for testing, but make it work on physical hardware too
  boot.initrd.availableKernelModules = [ 
    "ahci" "xhci_pci" "virtio_pci" "virtio_scsi" "usb_storage" "sd_mod" "sr_mod"
  ];
  boot.kernelModules = [ "kvm-intel" ];
  
  networking.hostName = "nixos-usb";
  networking.networkmanager.enable = true;
  
  time.timeZone = "Europe/Berlin";
  i18n.defaultLocale = "de_DE.UTF-8";
  i18n.extraLocaleSettings = {
    LC_ADDRESS = "de_DE.UTF-8";
    LC_IDENTIFICATION = "de_DE.UTF-8";
    LC_MEASUREMENT = "de_DE.UTF-8";
    LC_MONETARY = "de_DE.UTF-8";
    LC_NAME = "de_DE.UTF-8";
    LC_NUMERIC = "de_DE.UTF-8";
    LC_PAPER = "de_DE.UTF-8";
    LC_TELEPHONE = "de_DE.UTF-8";
    LC_TIME = "de_DE.UTF-8";
  };
  
  services.xserver.enable = true;
  services.xserver.displayManager.gdm.enable = true;
  services.xserver.desktopManager.gnome.enable = true;
  services.xserver.xkb.layout = "de";
  services.xserver.libinput.enable = true;
  console.keyMap = "de";
  
  # Audio setup
  services.pulseaudio.enable = false;
  security.rtkit.enable = true;
  services.pipewire = {
    enable = true;
    alsa.enable = true;
    alsa.support32Bit = true;
    pulse.enable = true;
  };
  
  services.printing.enable = true;
  
  # User setup
  users.users.user = {
    isNormalUser = true;
    description = "user";
    extraGroups = [ "networkmanager" "wheel" "audio" "video" "disk" ];
    shell = pkgs.bash;
  };
  
  # Allow unfree packages
  nixpkgs.config.allowUnfree = true;
  
  # Essential packages
  environment.systemPackages = with pkgs; [
    git
    vim
    curl
    wget
    openssh
    rsync
    pciutils
    usbutils
    gparted
    gnome-disk-utility
    obsidian
    libreoffice
    keepassxc
    thunderbird
    tor-browser
    inkscape
    gimp
    pdfarranger
    epiphany
    gnomeExtensions.gsconnect
    gnomeExtensions.dash-to-dock
    file
    psmisc
    lsof
    strace
  ];
  
  programs.firefox.enable = true;
  
  # First-boot setup script with proper PATH setup
  environment.etc."first-boot-setup.sh".text = ''
    #!/run/current-system/sw/bin/bash
    set -e
    
    if [ ! -f /var/lib/nixos-firstboot-done ]; then
      echo "=== First boot setup for cloned NixOS USB ==="
      
      # Generate new machine-id
      echo "Generating new machine ID..."
      rm -f /etc/machine-id /var/lib/dbus/machine-id 2>/dev/null || true
      systemd-machine-id-setup
      
      # Regenerate hardware configuration for this machine
      echo "Detecting hardware configuration..."
      nixos-generate-config --root / --no-filesystems
      
      # Ensure proper permissions
      chmod 700 /root
      if [ -d /home/user ]; then
        chmod 755 /home/user
        chown -R user:user /home/user
      fi
      
      # Mark first boot complete
      mkdir -p /var/lib
      touch /var/lib/nixos-firstboot-done
      echo "First boot setup complete."
    fi
  '';
  
  environment.etc."first-boot-setup.sh".mode = "0700";
  
  # Auto-update script
  environment.etc."update-nixos-config.sh".text = ''
    #!/run/current-system/sw/bin/bash
    set -e
    # Ensure all system tools are available
    export PATH="/run/current-system/sw/bin:/nix/var/nix/profiles/default/bin"
    export NIX_PATH="nixpkgs=/nix/var/nix/profiles/per-user/root/channels/nixos"
    LOCAL_PATH="/var/lib/nixos-config"
    REPO_URL="https://git.skarockoi.de/ska/nixos-production.git"
    if [ ! -d "$LOCAL_PATH/.git" ]; then
      mkdir -p "$LOCAL_PATH"
      chmod 700 "$LOCAL_PATH"
      echo "Cloning config from $REPO_URL..."
      git clone "$REPO_URL" "$LOCAL_PATH"
    else
      cd "$LOCAL_PATH"
      echo "Fetching updates..."
      git fetch origin
      LOCAL_HEAD=$(git rev-parse HEAD)
      REMOTE_HEAD=$(git rev-parse origin/main)
      if [ "$LOCAL_HEAD" != "$REMOTE_HEAD" ]; then
        echo "New config available. Updating..."
        git reset --hard origin/main
        nixos-rebuild switch -I nixos-config="$LOCAL_PATH/configuration.nix"
        echo "System updated successfully."
      else
        echo "Config is already up to date."
      fi
    fi
  '';
  
  environment.etc."update-nixos-config.sh".mode = "0700";
  
  # First boot service with proper PATH
  systemd.services.first-boot-setup = {
    description = "One-time setup for cloned NixOS USB";
    script = "/etc/first-boot-setup.sh";
    path = with pkgs; [
      systemd
      git
      nixos-install-tools  # Provides nixos-generate-config
      coreutils
      findutils
      glibc
    ];
    serviceConfig = {
      Type = "oneshot";
      RemainAfterExit = true;
      ExecStartPre = "${pkgs.coreutils}/bin/mkdir -p /var/lib";
    };
    wantedBy = [ "multi-user.target" ];
  };
  
  # Auto-update service
  systemd.services.nixos-git-update = {
    description = "Update NixOS from Git config repository";
    script = "/etc/update-nixos-config.sh";
    path = with pkgs; [ git nixos-install-tools coreutils ];
    serviceConfig = {
      Type = "oneshot";
      User = "root";
      Group = "root";
    };
  };
  
  # Run updates hourly after boot
  systemd.timers.nixos-git-update = {
    description = "Check for config updates hourly";
    wantedBy = [ "timers.target" ];
    timerConfig = {
      OnBootSec = "60s";
      OnUnitActiveSec = "1h";
    };
  };
  
  # Udev rules for USB devices
  services.udev.extraRules = ''
    # Allow all users to mount USB devices
    ACTION=="add", SUBSYSTEM=="block", ENV{ID_BUS}=="usb", MODE="0660", GROUP="disk"
  '';
  
  system.stateVersion = "25.11";
}