{ config, pkgs, lib, name, ... }:

{
  imports = [
    ../../modules/common.nix
    ../../modules/sops.nix
    ../../modules/nextcloud.nix
    ../../modules/forgejo.nix
  ];

  networking.hostName = name;

  # Prod: open ports for web
  networking.firewall.allowedTCPPorts = [ 80 443 22 ];

  services.flowback = {
    nextcloudHost = "cloud.example.com";
    forgejoHost   = "git.example.com";
  };

  # Production should enforce stronger auth; you can refine later.
  users.users.elifa = {
    isNormalUser = true;
    extraGroups = [ "wheel" ];
    openssh.authorizedKeys.keys = [
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGI1L2SZzAfxkdHPsgJe0cx9s0owlMPyS6LnAURzXyad eli@wsl"
    ];
  };

  security.sudo.wheelNeedsPassword = true;

  system.stateVersion = "25.11";
}