{ inputs, pkgs, lib, config, ... }:
{
  # Example: 3-node HA control plane. Replace IPs/hostnames to match your cluster.
  imports = [ inputs.self.nixosModules.plasmacloud ];

  networking.hostName = lib.mkDefault "plasmacloud-node01";
  networking.firewall.allowedTCPPorts = [ 8080 8081 8082 8083 8084 8085 8086 8087 9000 9001 9002 2379 2380 2381 2479 2480 ];

  # Core data stores
  services.chainfire = {
    enable = true;
    dataDir = "/var/lib/chainfire";
    # Adjust ports if you need to avoid conflicts; defaults are fine for most cases.
    port = 2379;
    raftPort = 2380;
    gossipPort = 2381;
  };

  services.flaredb = {
    enable = true;
    dataDir = "/var/lib/flaredb";
    port = 2479;
    raftPort = 2480;
    httpPort = 8082;
  };

  # IAM
  services.iam = {
    enable = true;
    dataDir = "/var/lib/iam";
  };

  # Compute + networking + ingress
  services.plasmavmc.enable = true;
  services.prismnet.enable = true;
  services.flashdns.enable = true;
  services.fiberlb.enable = true;
  services.apigateway = {
    enable = true;
    authProviders = [{
      name = "iam";
      providerType = "grpc";
      endpoint = "http://127.0.0.1:${toString config.services.iam.port}";
    }];
    creditProviders = [{
      name = "creditservice";
      providerType = "grpc";
      endpoint = "http://127.0.0.1:${toString config.services.creditservice.grpcPort}";
    }];
    routes = [
      {
        name = "iam-rest";
        pathPrefix = "/iam";
        upstream = "http://127.0.0.1:8083";
        stripPrefix = true;
        auth = {
          provider = "iam";
          mode = "required";
        };
      }
      {
        name = "credit-rest";
        pathPrefix = "/credit";
        upstream = "http://127.0.0.1:${toString config.services.creditservice.httpPort}";
        stripPrefix = true;
        auth = {
          provider = "iam";
          mode = "required";
        };
        credit = {
          provider = "creditservice";
          mode = "optional";
          units = 1;
          commitOn = "success";
        };
      }
    ];
  };
  services.lightningstor.enable = true;
  services.creditservice.enable = true;

  # Optional: install binaries for debugging
  environment.systemPackages = with inputs.self.packages.${pkgs.system}; [
    chainfire-server flaredb-server iam-server plasmavmc-server
    prismnet-server flashdns-server fiberlb-server apigateway-server lightningstor-server
    creditservice-server
  ];
}