{ pkgs, modulesPath, inputs, ... }:

{
  imports = [
    (modulesPath + "/installer/cd-dvd/installation-cd-graphical-calamares-plasma6.nix")
  ];

  # Tools needed for the install process
  environment.systemPackages = with pkgs; [
    # Disk setup
    inputs.disko.packages.${pkgs.system}.disko
    cryptsetup
    # YubiKey enrollment (systemd-cryptenroll for FIDO2)
    yubikey-personalization
    yubikey-manager
    libfido2
    # Misc
    git
    # Install script — available as `install-coven` in PATH
    (pkgs.writeShellScriptBin "install-coven" ''
      set -euo pipefail

      FLAKE="git+https://git.sassysalamander.net/wytch/nix-config?ref=main"
      LUKS_PART="/dev/disk/by-partlabel/disk-main-luks"

      echo "======================================================"
      echo "  coven install script"
      echo "  Flake: ''${FLAKE}"
      echo "======================================================"
      echo ""
      echo "WARNING: This will ERASE ALL DATA on /dev/nvme0n1"
      echo "Press Enter to continue or Ctrl-C to abort."
      read -r

      echo ""
      echo "[1/5] Partitioning, formatting, and mounting via disko..."
      echo "(You will be prompted to set a LUKS passphrase — this becomes your recovery key.)"
      disko --mode disko --flake "''${FLAKE}#coven"

      echo ""
      echo "[2/5] Enrolling YubiKey FIDO2 into LUKS container..."
      echo "      Insert your YubiKey and touch it when prompted."
      systemd-cryptenroll --fido2-device=auto "''${LUKS_PART}"

      echo ""
      echo "[3/5] Installing NixOS..."
      nixos-install --flake "''${FLAKE}#coven" --no-root-password --root /mnt

      echo ""
      echo "[4/5] Setting user password for sonja..."
      nixos-enter --root /mnt -c 'passwd sonja'

      echo ""
      echo "[5/5] Done!"
      echo ""
      echo "Next steps after first boot:"
      echo "  1. Fill in your GPG fingerprint in .sops.yaml"
      echo "  2. Create and encrypt secrets/secrets.yaml"
      echo "  3. Uncomment sops config in hosts/coven/configuration.nix"
      echo ""
      echo "Remove the install media and reboot."
      read -rp "Reboot now? [y/N] " yn
      if [[ "''${yn}" =~ ^[Yy]$ ]]; then
        reboot
      fi
    '')
  ];

  services.udev.packages = [ pkgs.yubikey-personalization ];
  services.pcscd.enable  = true;

  # Enable SSH so the machine can be administered remotely during install
  services.openssh.enable = true;
  # Add your SSH public key here to allow passwordless remote access from the ISO
  # users.users.nixos.openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAA..." ];

  nixpkgs.hostPlatform = "x86_64-linux";

  isoImage.squashfsCompression = "zstd -Xcompression-level 6";

  system.stateVersion = "25.11";
}