{ config, pkgs, lib, strix-halo-pkgs, ... }:

let
  # Using nixos-24.05 for bisq-desktop (last stable release with working bisq-desktop)
  # bisq-desktop was removed after 24.05 due to OpenJFX EOL issues
  bisqPkgs = import (builtins.fetchTarball {
    url = "https://github.com/NixOS/nixpkgs/archive/nixos-24.05.tar.gz";
    sha256 = "0zydsqiaz8qi4zd63zsb2gij2p614cgkcaisnk11wjy3nmiq0x1s";
  }) { system = pkgs.system; };
in
{
  imports = [
    ./hardware-configuration.nix
    ./nginx.nix
    ./forgejo.nix
    ./radicale.nix
    ./ollama.nix
    # ./llama-server.nix  # disabled: source build broken (LLVM 22 vs 19 mismatch in strix-halo overlay)
    # ./docuseal.nix
  ];

  environment.systemPackages = with pkgs; [
    bisqPkgs.bisq-desktop  # v1.9.15-1.9.17 from nixos-24.05
    bisq2
    llamacpp-rocm-bin-gfx1151  # prebuilt b1025; source build broken (LLVM mismatch)
    # strix-halo-pkgs.llamacpp-rocm-gfx1151  # source-built, re-enable when overlay fixes LLVM 22/19 mismatch
    lmstudio
  ];

  networking.hostName = "crossbox";
  system.stateVersion = "25.11";
  networking.firewall.allowedTCPPorts = [ 22 1234 ];
  services.pulseaudio.enable = false;

  hardware.graphics = {
    enable = true;
    extraPackages = with pkgs; [
      rocmPackages.clr.icd # ROCm OpenCL runtime
      rocmPackages.clr
      rocmPackages.rocminfo
      rocmPackages.rocm-runtime
    ];
  };

  boot.kernelParams = [ "amdgpu.gttsize=115200" ];
  boot.kernelPackages = pkgs.linuxPackages_latest;

  # ROCm environment for gfx1151 (Strix Halo)
  # gfx1151 lacks TensileLibrary support in most ROCm builds,
  # so we override to gfx1100 which is close enough and has full library support.
  # The strix-halo overlay's llamacpp binaries override this with 11.5.1 in their wrappers.
  environment.variables = {
    HSA_OVERRIDE_GFX_VERSION = "11.0.0";
  };

  # List services that you want to enable:
  services.openssh = {
    enable = true;
    settings = {
      PermitRootLogin = "no";
      PasswordAuthentication = false;
      KbdInteractiveAuthentication = false;
    };
  };

  # Disable automatic suspend.
  # Otherwise SSH tunnels and HDMI signals break.
  services.logind = {
    settings = {
      Login = {
        HandleLidSwitch = "ignore";
	HandleHibernateKey = "ignore";
	HandleSuspendKey = "ignore";
	HandlePowerKey = "ignore";
      };
    };
  };

  virtualisation.docker = {
    enable = true;
    autoPrune = {
      enable = true;
      dates = "weekly";
    };
    rootless = {
      enable = true;
      setSocketVariable = true;
    };
  };
}