{
  pkgs,
  lib,
  ...
}:
with lib;
with lib.metacfg;
{
  imports = [
    ./hardware-configuration.nix
    ./xremap.nix
  ];

  nixpkgs.overlays = [
    (final: prev: {
      rocmPackages = prev.rocmPackages.overrideScope (rfinal: rprev: {
        rocm-runtime = rprev.rocm-runtime.overrideAttrs (prevAttrs: {
          patches = (prevAttrs.patches or [ ]) ++ [
            (final.fetchpatch {
              # [PATCH] hsakmt: bump vgpr count for gfx1151 (#1807) (#1986)
              name = "rocr-runtime-gfx1151-vgpr.patch";
              url = "https://github.com/ROCm/rocm-systems/commit/09ba45b3f43ec333a84a0ca178fcd1e3ea9400a9.patch";
              relative = "projects/rocr-runtime";
              includes = [ "libhsakmt/src/libhsakmt.h" ];
              hash = "sha256-/V5i+sr88n7fK4yNjR/FpY0ZpiEG5xAD6Oq+9ZOikd4=";
            })
            (final.fetchpatch {
              # [PATCH] hsakmt: Expose and use CWSR and Control stack sizes (#2200)
              name = "rocr-runtime-kernel-stack-size.patch";
              url = "https://github.com/ROCm/rocm-systems/commit/7037a71f311c021974fafd13727dfefd8a1cc79d.patch";
              relative = "projects/rocr-runtime";
              hash = "sha256-EbDxuEvNu0fyQJZmqq0fbcCdNtaEWUbmyPLvcfqDPjc=";
            })
          ];
        });
      });
    })
  ];
  boot.lanzaboote.pkiBundle = "/var/lib/sbctl";
  boot.kernelPackages = lib.mkOverride 0 pkgs.linuxPackages_latest;

  networking.firewall.allowedTCPPorts = [
    1234
    8000
  ];

  hardware.graphics = {
    enable = true;

    extraPackages =
      [ ]
      ++ lib.optionals pkgs.stdenv.targetPlatform.isx86_64 (
        with pkgs;
        [
          rocmPackages.clr.icd
        ]
      );
  };

  systemd.tmpfiles.rules =
    let
      rocmEnv = pkgs.symlinkJoin {
        name = "rocm-combined";
        paths = with pkgs.rocmPackages; [
          rocblas
          hipblas
          clr
        ];
      };
    in
    [
      "L+    /opt/rocm   -    -    -     -    ${rocmEnv}"
    ];

  powerManagement.cpuFreqGovernor = "performance";

  services.openssh = {
    enable = true;
  };

  services.tailscale.enable = true;
  services.resolved.enable = true;

  metacfg = {
    hardware.wooting.enable = true;
    base.enable = true;
    nix-ld.enable = true;
    nix.enable = true;
    secureboot.enable = true;
    podman.enable = true;
    build.enable = true;

    system = {
      limits = {
        enable = true;
        nofileLimit = 32768;
        memlockLimit = 32768;
      };
    };

    # User configuration
    tools = {
      direnv.enable = true;
    };
    user.extraGroups = [
      "docker"
      "dialout"
      "tss"
    ];
    system.kernelTweaks.enable = true;
  };

  system.autoUpgrade = {
    enable = true;
    operation = "boot";
    allowReboot = false;
  };

  # Additional kernel tuning beyond the module defaults
  boot.kernel.sysctl = {
    # Reduce swap usage (you have zram)
    "vm.swappiness" = 10;
    # Prefer keeping directory/inode caches
    "vm.vfs_cache_pressure" = 50;
    # Faster dirty page writeback
    "vm.dirty_ratio" = 10;
    "vm.dirty_background_ratio" = 5;
  };

  # SSD TRIM support
  services.fstrim = {
    enable = true;
    interval = "weekly";
  };

  environment.systemPackages = with pkgs; [
    attic-client
    azure-cli
    claude-code
    nvtopPackages.amd
    obsidian
    piper-tts
    uv
  ];

  # zram swap with zstd compression for better performance
  zramSwap = {
    algorithm = "zstd";
    memoryPercent = 50;
  };

  services.ratbagd.enable = true;

  system.stateVersion = "25.11";
}