{ pkgs, inputs, config, ... }:
{
  imports = [
    ../../common/encrypted-btrfs-layout.nix
    ../../common/global
    ../../common/desktop-node.nix     # Hyprland + GUI environment
    ../../common/cluster-member.nix  # Consul + storage clients
    ../../common/cluster-tools.nix    # Nomad CLI (no service)
    ./hardware.nix
  ];

  diskLayout = {
    mainDiskDevice = "/dev/disk/by-id/nvme-CT1000P3PSSD8_25164F81F31D";
    #keyDiskDevice = "/dev/disk/by-id/usb-Intenso_Micro_Line_22080777650797-0:0";
    keyDiskDevice = "/dev/sda";
  };

  networking.hostName = "beefy";
  networking.cluster.primaryInterface = "enp1s0";
  services.tailscaleAutoconnect.authkey = "tskey-auth-k79UsDTw2v11CNTRL-oYqji35BE9c7CqM89Dzs9cBF14PmqYsi";

  # Console blanking after 5 minutes (for greeter display sleep)
  # NMI watchdog for hardlockup detection
  boot.kernelParams = [ "consoleblank=300" "nmi_watchdog=1" ];

  # Netconsole - stream kernel messages to zippy (192.168.1.2)
  # Must configure via configfs after network is up (interface doesn't exist at module load)
  boot.kernelModules = [ "netconsole" ];
  boot.kernel.sysctl."kernel.printk" = "8 4 1 7";  # Raise console_loglevel to send all messages
  systemd.services.netconsole-sender = {
    description = "Configure netconsole to send kernel messages to zippy";
    wantedBy = [ "multi-user.target" ];
    after = [ "network-online.target" ];
    wants = [ "network-online.target" ];
    serviceConfig = {
      Type = "oneshot";
      RemainAfterExit = true;
    };
    script = ''
      TARGET=/sys/kernel/config/netconsole/target1
      mkdir -p $TARGET
      # Disable first if already enabled (can't modify params while enabled)
      if [ -f $TARGET/enabled ] && [ "$(cat $TARGET/enabled)" = "1" ]; then
        echo 0 > $TARGET/enabled
      fi
      echo enp1s0 > $TARGET/dev_name
      echo 192.168.1.2 > $TARGET/remote_ip
      echo 6666 > $TARGET/remote_port
      echo c0:3f:d5:62:55:bb > $TARGET/remote_mac
      echo 1 > $TARGET/enabled
    '';
  };

  # Kdump for kernel crash analysis
  boot.crashDump = {
    enable = true;
    reservedMemory = "256M";
  };

  # Lockup detectors - panic on detection so kdump captures state
  boot.kernel.sysctl = {
    # Enable all SysRq functions for debugging hangs
    "kernel.sysrq" = 1;
    # Panic on soft lockup (CPU not scheduling for >20s)
    "kernel.softlockup_panic" = 1;
    # Panic on hung tasks (blocked >120s)
    "kernel.hung_task_panic" = 1;
    "kernel.hung_task_timeout_secs" = 120;
  };

  # Persist crash dumps
  environment.persistence.${config.custom.impermanence.persistPath}.directories = [
    "/var/crash"
  ];
}