{ config, pkgs, ... }:

{
  # Bootloader: systemd-boot with EFI support
  boot = {
    loader = {
      systemd-boot.enable = true;
      efi.canTouchEfiVariables = true;
    };

    # Enable support for LUKS
    initrd = {
      luks.devices = {
        "root" = {
          device = "/dev/sda1"; # Encrypted root partition
          preLVM = true;
          allowDiscards = true; # Enable if using an SSD with TRIM support
        };
      };
      systemd.enable = true; # Required for LUKS support
      availableKernelModules = [ "dm-crypt" "dm-mod" "ext4" ]; # Required for LUKS support
    };
    
    # Kernel parameters for root and cryptsetup
    kernelParams = [ "root=/dev/mapper/root" "cryptdevice=/dev/sda1:root" ];
  };

  # File systems
  fileSystems."/" = {
    device = "/dev/mapper/root"; # LUKS unlocked device
    fsType = "ext4";
  };

  # EFI partition mount (usually /boot or /boot/efi)
  fileSystems."/boot" = {
    device = "/dev/sda2"; # EFI partition
    fsType = "vfat";
    options = [ "nofail" "defaults" ];
  };

  # Swap file (4GB)
  swapDevices = [
    {
      device = "/swapfile";
      size = 4096; # 4GB
    }
  ];

  # Locale and timezone
  time.timeZone = "Europe/London";
  i18n.defaultLocale = "en_GB.UTF-8";

  # Enable SSH
  services.openssh = {
    enable = true;
    settings = {
      PermitRootLogin = "no";
      PasswordAuthentication = false;
    };
  };

  # Enable Docker
  virtualisation.docker.enable = true;

  # PipeWire for audio
  services.pipewire = {
    enable = true;
    pulse.enable = true;
  };

  # Bluetooth
  services.blueman.enable = true;
}