{ modulesPath, config, lib, pkgs, inputs, ... }:

{
  imports = [
    (modulesPath + "/installer/scan/not-detected.nix")
    (modulesPath + "/profiles/qemu-guest.nix")
  ];

  # System
  system.stateVersion = "25.11";

  # Secrets management
  sops.defaultSopsFile = ./secrets/secrets.yaml;
  sops.age.sshKeyPaths = [ "/home/numbus-admin/.ssh/id_ed25519" ];
  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
  sops.secrets."authorizedSshPublicKeys" = { owner = "numbus-admin"; path = "/home/numbus-admin/.ssh/authorized_keys"; mode = "0600"; };
  sops.secrets."smtpPassword" = { owner = "numbus-admin"; mode = "0600"; };
  sops.secrets."cloudflareDnsApiToken" = { owner = "numbus-admin"; mode = "0600"; };

#  # TPM2 PCR check
#  systemIdentity.enable = true;
#  systemIdentity.pcr15 = "PCR_HASH"; 

  # Server
  time.timeZone = "Europe/Paris";
  config.numbus.owner = "Raphael";

  # Enable email notifications
  config.numbus.mail.enable = true;
  config.numbus.mail.userAddress = "user@tunea.eu";
  config.numbus.mail.adminAddress = "admin@tunea.eu";
  config.numbus.mail.smtpUsername = "raphaels.server@gmail.com";
  config.numbus.mail.smtpPasswordPath = config.sops.secrets.smtpPassword.path;