{ config, pkgs, lib, ... }:

{
  imports = [
    ./netboot-base.nix
    ../modules
  ];

  # ============================================================================
  # SINGLE-NODE / ALL-IN-ONE INSTALL IMAGE
  # ============================================================================
  # This netboot image is the bare-metal companion to the QEMU-first
  # `single-node-quickstart` profile. It keeps only the minimum VM stack in the
  # image by default and leaves DNS, load-balancing, storage, API, metrics, and
  # Kubernetes layers as explicit add-ons in the final installed system.
  #
  # Included by default:
  # - Chainfire: local coordination and placement metadata
  # - FlareDB: metadata/event storage
  # - IAM: local identity plane for the dev profile
  # - PrismNET: VM networking control plane
  # - PlasmaVMC: VM control plane
  #
  # Optional after install:
  # - LightningStor, CoronaFS
  # - FlashDNS, FiberLB
  # - API Gateway, Nightlight, CreditService
  # - K8sHost
  # ============================================================================

  environment.systemPackages = with pkgs; [
    chainfire-server
    flaredb-server
    iam-server
    prismnet-server
    plasmavmc-server
    qemu
    libvirt
    bridge-utils
    openvswitch
    curl
    jq
  ];

  services.chainfire = {
    enable = lib.mkDefault false;
    port = 2379;
    raftPort = 2380;
    gossipPort = 2381;
    httpPort = 8081;
  };

  services.flaredb = {
    enable = lib.mkDefault false;
    port = 2479;
    raftPort = 2480;
    httpPort = 8082;
  };

  services.iam = {
    enable = lib.mkDefault false;
    port = 50080;
    httpPort = 8083;
  };

  services.prismnet = {
    enable = lib.mkDefault false;
    port = 50081;
    httpPort = 8087;
  };

  services.plasmavmc = {
    enable = lib.mkDefault false;
    port = 50082;
    httpPort = 8084;
  };

  boot.kernelModules = [ "kvm-intel" "kvm-amd" "tun" ];
  boot.extraModprobeConfig = ''
    options kvm_intel nested=1
    options kvm_amd nested=1
  '';

  networking.vswitches = lib.mkDefault {};

  networking.firewall.allowedTCPPorts = [
    22
    2379
    2380
    2381
    2479
    2480
    50080
    50081
    50082
    8081
    8082
    8083
    8084
    8087
    16509
    5900
  ];

  networking.firewall.allowedUDPPorts = [
    2381
    4789
  ];

  services.lvm.enable = true;
  boot.supportedFilesystems = [ "ext4" "xfs" "btrfs" "zfs" ];

  systemd.services.chainfire.serviceConfig = lib.mkIf config.services.chainfire.enable {
    MemoryMax = "1G";
    CPUQuota = "100%";
  };

  systemd.services.flaredb.serviceConfig = lib.mkIf config.services.flaredb.enable {
    MemoryMax = "1G";
    CPUQuota = "100%";
  };

  systemd.services.iam.serviceConfig = lib.mkIf config.services.iam.enable {
    MemoryMax = "512M";
    CPUQuota = "50%";
  };

  systemd.services.plasmavmc.serviceConfig = lib.mkIf config.services.plasmavmc.enable {
    MemoryMax = "512M";
    CPUQuota = "50%";
  };

  systemd.services.prismnet.serviceConfig = lib.mkIf config.services.prismnet.enable {
    MemoryMax = "512M";
    CPUQuota = "50%";
  };

  boot.kernel.sysctl = {
    "fs.file-max" = 1000000;
    "net.core.netdev_max_backlog" = 5000;
    "net.core.rmem_max" = 134217728;
    "net.core.wmem_max" = 134217728;
    "net.ipv4.ip_forward" = 1;
    "net.ipv6.conf.all.forwarding" = 1;
    "vm.swappiness" = 10;
  };
}