{
  lib,
  config,
  pkgs,
  modulesPath,
  suiteModules,
  ...
}: {
  imports = [
    "${modulesPath}/virtualisation/disk-image.nix"
    suiteModules.nixos.attic
  ];

  image.format = "raw";

  boot.initrd.availableKernelModules = [
    "xhci_pci"
    "usb_storage"
    "uas"
    "ahci"
    "nvme"
    "usbhid"
    "sd_mod"
  ];

  nixpkgs.hostPlatform = "x86_64-linux";
  nixpkgs.config.allowUnfree = true;
  nixpkgs.config.cudaSupport = true;

  nix.settings = {
    experimental-features = "nix-command flakes";
    auto-optimise-store = true;
    substituters = [
      "https://cache.nixos.org"
      "https://cuda-maintainers.cachix.org"
    ];
    trusted-public-keys = [
      "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
      "cuda-maintainers.cachix.org-1:0dq3bujKpuEPMCX6U4WylrUDZ9JyUG0VpVZa7CNfq5E="
    ];
  };

  security.sudo.wheelNeedsPassword = false;

  networking.hostName = "beacon";
  time.timeZone = "Asia/Jerusalem";

  networking.networkmanager.enable = true;
  hardware.enableRedistributableFirmware = true;
  networking.useDHCP = false;
  environment.etc."NetworkManager/system-connections/Zakobar.nmconnection" = {
    mode = "0600";
    text = ''
      [connection]
      id=Zakobar
      type=wifi
      autoconnect=true

      [wifi]
      mode=infrastructure
      ssid=Zakobar

      [wifi-security]
      auth-alg=open
      key-mgmt=wpa-psk
      psk=0502711157

      [ipv4]
      method=manual
      address1=192.168.1.200/24,192.168.1.1
      dns=8.8.8.8;1.1.1.1;
      ignore-auto-dns=true

      [ipv6]
      method=disabled
    '';
  };

  # Swap is created on first boot after boot.growPartition expands the root
  # partition to the full drive size. Non-blocking: a failure just means no
  # swap on this boot (retried next boot once the partition has grown).
  systemd.services.beacon-swap = {
    description = "Create and activate swapfile";
    after = ["systemd-growfs@-.service" "local-fs.target"];
    wantedBy = ["multi-user.target"];
    serviceConfig = {
      Type = "oneshot";
      RemainAfterExit = true;
    };
    script = ''
      if [ ! -f /swapfile ]; then
        dd if=/dev/zero of=/swapfile bs=1M count=16384 status=progress
        chmod 600 /swapfile
        ${pkgs.util-linux}/bin/mkswap /swapfile
      fi
      ${pkgs.util-linux}/bin/swapon /swapfile
    '';
  };

  # NVIDIA RTX 4050 — Ada Lovelace supports open kernel modules
  services.xserver.videoDrivers = ["nvidia"];
  hardware.nvidia = {
    open = true;
    modesetting.enable = true;
    package = config.boot.kernelPackages.nvidiaPackages.stable;
  };
  hardware.graphics.enable = true;

  services.getty.autologinUser = "aner";

  services.openssh = {
    enable = true;
    settings = {
      PermitRootLogin = "no";
      PasswordAuthentication = false;
    };
  };

  users.users.aner = {
    isNormalUser = true;
    extraGroups = ["wheel" "video"];
    openssh.authorizedKeys.keys = [
      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDfzDDO5juINctECmWlsYtGghEiX/RnTJ1cazLvOWSrPfsTyEd+B1+Ig8kFefNryjkpApfRXqj5KtLPNlpLfdVBrOIfhIveEp2MGqhgOGZFNVxQyXnZgii8Zdh4cqZ2O3pZpMsaAQBaJ9nH6dK0dJjicWT5f6TqwrVcInywRc5SuyizoSxoFmg7ch2rnlVi0j5XMVqdh8XLzHXZ7yWCzXy7+hWl/d7pwpyuzoK8dBw2EU9TauhgRDruom5Q9vWJTLStALC9pAIb0v9UFj9y+1zwx7pXsXp5F1g73EYrE4QR+QQ6z2LebuK280W0t+VA/fSCEB13DnkmofgqZQxX5MSCmrxZ5lTFp1FjW6yJo7As9FheF/GECowYkMRIx4IiQsjjHjZqlLRpLas11yAp6tGoZnw59hFo6Lu0Kva39jGVVmioYHtAeE5rD5w+v5kseJR4jlQ8aKB5yOjYUQOIz2AHQyoidgaeR2jPWqZUeRQbACI+/p3CHO45r3hrjATtGloBg0xF95Qws7Be3mjHVhbBLOoob8MdZ8nYAGnhlWrZphlkvXsHC6OUkuDJW00tmMjWXRlFwhFJ+nqUQCgLVjxVHQJ5rq9GeXBUuNXAeCm5BKBsdq+9qqVlt7D9iGyfr0lcZ7peKz/96KwPCWpG2En1Ur0/cVcbWnXEfG/xWO10tQ== openpgp:0xFA67FAB0"
    ];
  };

  environment.systemPackages = with pkgs; [
    git
    rsync
    tmux
    vim
    wget
    rclone
    pciutils
    nvtopPackages.nvidia
    cudaPackages.cudatoolkit
    cudaPackages.cudnn
    cudaPackages.nccl
    python3
    direnv
  ];

  azos.attic.enable = true;

  system.stateVersion = "25.11";
}