{ config, pkgs, pkgs-unstable, ... }:

{
  # ops-jrz1 production VPS configuration
  # Imports extracted Matrix modules from ops-base

  imports = [
    # Hardware configuration
    ../hardware-configuration.nix

    # Matrix platform modules
    ../modules/matrix-continuwuity.nix
    ../modules/mautrix-slack.nix
    ../modules/mautrix-whatsapp.nix
    ../modules/mautrix-gmessages.nix
    ../modules/dev-services.nix
    ../modules/security/fail2ban.nix
    ../modules/security/ssh-hardening.nix
    ../modules/matrix-secrets
  ];

  # System configuration
  networking.hostName = "jrz1";

  # sops-nix secrets management
  sops.defaultSopsFile = ../secrets/secrets.yaml;
  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];

  sops.secrets.matrix-registration-token = {
    # Used by dev-services.nix matrix-continuwuity via systemd LoadCredential
    # Root ownership is correct for DynamicUser services
    mode = "0400";
  };

  sops.secrets.acme-email = {
    owner = "root";
    mode = "0444";
  };

  # Matrix homeserver configuration
  # NOTE: Disabled in favor of dev-platform.matrix which provides integrated
  # bridge coordination and systemd credential-based secrets management
  # services.matrix-homeserver = {
  #   enable = true;
  #   domain = "clarun.xyz";
  #   port = 8008;
  #   enableRegistration = true;
  #   enableFederation = false;
  # };

  # Development platform services (Matrix, Forgejo, bridges)
  services.dev-platform = {
    enable = true;
    domain = "clarun.xyz";

    matrix = {
      enable = true;
      serverName = "clarun.xyz";
      port = 8008;
    };

    forgejo = {
      enable = true;
      subdomain = "git";
      port = 3000;
    };

    slackBridge = {
      enable = true;
      workspace = "chochacho";
      port = 29319;
    };
  };

  system.stateVersion = "24.05";
}