{
  modulesPath,
  lib,
  pkgs,
  sops,
  config,
  ...
}@args:
{
  imports = [
    ./disk-config.nix
  ];

  nix = {
    extraOptions = ''
      experimental-features = ca-derivations nix-command flakes
    '';
    settings = {
      substituters = [
        "https://cache.nixos.org"
        "https://cache.ngi0.nixos.org/"
      ];
      trusted-public-keys = [
        "cache.ngi0.nixos.org-1:KqH5CBLNSyX184S9BKZJo1LxrxJ9ltnY2uAs5c/f1MA="
      ];
    };
  };

  sops = {
    defaultSopsFile = ./secrets.yaml;
    age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
    age.generateKey = false;

    secrets = {
      luks_passphrase = { };
      kj_hashed_password = {
        neededForUsers = true;
      };
      ssh_host_key_ed25519 = { };
      ssh_host_key_rsa = { };
    };
  };

  boot.loader.systemd-boot.enable = true;
  system.stateVersion = "25.05";
  swapDevices = [
    {
      device = "/swap/swapfile";
      size = 32768;
    }
  ];

  security.sudo.enable = true;
  users.mutableUsers = false;
  users.groups.kjtsanaktsidis = { };
  users.users = {
    kjtsanaktsidis = {
      createHome = true;
      isNormalUser = true;
      description = "KJ Tsanaktsidis";
      group = "kjtsanaktsidis";
      extraGroups = [
        "wheel"
        "networkmanager"
      ];
      shell = pkgs.zsh;
      hashedPasswordFile = config.sops.secrets.kj_hashed_password.path;
      openssh.authorizedKeys.keys = [
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAC/BtvW1c1RbBI8eeGo7oOH2y9byBaxWVDHsErgaE+s kjtsanaktsidis@KJMacbookGroq.local"
      ];
    };
  };

  # Enable systemd-resolved for DNS
  services.resolved = {
    enable = true;
    llmnr = "true";
    extraConfig = ''
      MulticastDNS=yes
    '';
  };
  networking.hostName = "kj-laptop01";
  networking.nameservers = [ "127.0.0.53" ];
  networking.networkmanager = {
    enable = true;
    dns = "systemd-resolved";
    # Enable mDNS on NetworkManager connections
    connectionConfig = {
      "connection.mdns" = "2"; # 2 = yes (resolve & register)
    };
  };

  services.openssh = {
    enable = true;
    hostKeys = [
      {
        type = "ed25519";
        path = config.sops.secrets.ssh_host_key_ed25519.path;
      }
      {
        type = "rsa";
        path = config.sops.secrets.ssh_host_key_rsa.path;
      }
    ];
  };

  environment.systemPackages = with pkgs; [];

  # Enable zsh system-wide
  programs.zsh.enable = true;

  # Disable Alt+Left/Right virtual terminal switching
  console.keyMap = "us";
  environment.etc."vconsole.conf".text = ''
    KEYMAP=us
  '';

  # Create custom keymap that disables Alt+Arrow VT switching
  environment.etc."kbd/keymaps/disable-vt-switch.map".text = ''
    alt keycode 105 = noop
    alt keycode 106 = noop
  '';

  systemd.services.disable-vt-switching = {
    description = "Disable VT switching on Alt+Arrow keys";
    wantedBy = [ "multi-user.target" ];
    after = [ "systemd-vconsole-setup.service" ];
    script = ''
      ${pkgs.kbd}/bin/loadkeys /etc/kbd/keymaps/disable-vt-switch.map
    '';
    serviceConfig = {
      Type = "oneshot";
      RemainAfterExit = true;
    };
  };
}