{
  description = "Qai base NixOS VM image";

  inputs = {
    home-manager = {
      url = "github:rycee/home-manager";
      inputs.nixpkgs.follows = "nixpkgs";
    };

    flake-utils = {
      url = "github:numtide/flake-utils";
    };
    nixos-generators = {
      url = "github:nix-community/nixos-generators";
      inputs.nixpkgs.follows = "nixpkgs";
    };

    common.url = "git+https://git.joshuabell.xyz/ringofstorms/dotfiles?dir=flakes/common";
    opencode.url = "github:anomalyco/opencode?ref=ad4bdd9f0fb7670949b5c47917bb656247ac60ac";
    ros_neovim.url = "git+https://git.joshuabell.xyz/ringofstorms/nvim";
  };

  outputs =
    inputs@{
      self,
      nixpkgs,
      flake-utils,
      nixos-generators,
      ...
    }:
    let
      baseModule =
        {
          config,
          pkgs,
          lib,
          ...
        }:
        let
          stateVersion = "26.05";
        in
        {
          imports = [
            inputs."home-manager".nixosModules.default

            inputs.ros_neovim.nixosModules.default

            inputs.common.nixosModules.essentials
            inputs.common.nixosModules.git
            inputs.common.nixosModules.zsh
            inputs.common.nixosModules.tmux

            (
              {
                ...
              }:
              {
                home-manager = {
                  useUserPackages = true;
                  useGlobalPkgs = true;
                  backupFileExtension = "bak";

                  users.root = {
                    home.stateVersion = stateVersion;
                    programs.home-manager.enable = true;
                  };

                  sharedModules = [
                    inputs.common.homeManagerModules.atuin
                    inputs.common.homeManagerModules.git
                    inputs.common.homeManagerModules.postgres_cli_options
                    inputs.common.homeManagerModules.starship
                    inputs.common.homeManagerModules.zoxide
                    inputs.common.homeManagerModules.zsh
                    inputs.common.homeManagerModules.tmux
                    inputs.common.homeManagerModules.direnv
                  ];
                };
              }
            )
          ];

          nixpkgs.config = {
            allowUnfree = true;
            allowUnfreePredicate = (_: true);
          };

          networking.hostName = "qai-base";

          # SSH enabled for terminal access via WebSocket proxy.
          services.openssh = {
            enable = true;
            settings.PasswordAuthentication = true;
            settings.PermitRootLogin = "yes";
          };

          users.users.root.password = "root";

          # Avoid slow boots due to wait-online.
          systemd.network.wait-online.enable = false;
          systemd.services.NetworkManager-wait-online.enable = false;
          systemd.services.systemd-networkd-wait-online.enable = false;

          networking.firewall.allowedTCPPorts = [
            22
          ];

          # Needed so `nix develop` works inside the VM.
          nix.settings.experimental-features = [
            "nix-command"
            "flakes"
          ];

          # Host binary cache (QEMU user-net host is reachable at 10.0.2.2).
          # Only effective at runtime, not during image build.
          networking.hosts."10.0.2.2" = [ "lio" ];

          # Note: These substituters are for runtime use. The build VM can't reach them.
          nix.settings.substituters = lib.mkAfter [ "http://lio:5000" ];
          nix.settings.trusted-public-keys = lib.mkAfter [
            "lio:9jKQ2xJyZjD0AWFzMcLe5dg3s8vOJ3uffujbUkBg4ms="
          ];
          # Fallback timeout so nix doesn't hang if lio is unreachable
          nix.settings.connect-timeout = 5;

          time.timeZone = "America/Chicago";

          # Git 2.35+ blocks repos owned by different uid; 9p shares can trip this.
          # Use wildcard to allow all subdirectories under /workspace (task-1, task-2, etc.)
          environment.etc."gitconfig".text = ''
            [safe]
              directory = *
          '';

          programs.zsh.enable = true;
          users.users.root.shell = pkgs.zsh;

          environment.systemPackages = with pkgs; [
            zsh
            git
            htop
            vim
            inputs.opencode.packages.${pkgs.system}.default
          ];

          environment.shellAliases = {
            "oc" = "all_proxy='' http_proxy='' https_proxy='' opencode";
            "occ" = "oc -c";
          };

          # Default disk is too small for `nix develop` / direnv.
          virtualisation.diskSize = 20 * 1024;

          virtualisation.vmVariant = {
            virtualisation = {
              memorySize = 4096;
              cores = 2;
              graphics = false;
            };

            virtualisation.forwardPorts = [
              {
                from = "host";
                host.port = 2221;
                guest.port = 22;
              }
            ];
          };

          system.stateVersion = stateVersion;
        };

    in
    {
      nixosModules.default = baseModule;
    }
    // flake-utils.lib.eachDefaultSystem (
      system:
      let
        pkgs = nixpkgs.legacyPackages.${system};

        baseVm = nixpkgs.lib.nixosSystem {
          inherit system;
          modules = [ baseModule ];
        };
      in
      {
        nixosConfigurations.base = baseVm;

        # Runnable VM (./result/bin/run-nixos-vm)
        packages.vm = baseVm.config.system.build.vm;

        # Bootable qcow2 disk image (./result/nixos.qcow2)
        packages.qcow2 = nixos-generators.nixosGenerate {
          inherit system;
          format = "qcow";
          modules = [ baseModule ];
        };

        apps.default = {
          type = "app";
          program = "${baseVm.config.system.build.vm}/bin/run-nixos-vm";
        };

        devShells.default = pkgs.mkShellNoCC {
          QEMU_NET_OPTS = "hostfwd=tcp::2221-:22";
        };
      }
    );
}