{ lib, pkgs, ... }:

{
  imports = [
    ../modules/ec-node.nix
    ../modules/ec-runner.nix
  ];

  services.every-channel.runner.enable = true;
  services.every-channel.runner.overlayRoot.enable = lib.mkDefault true;

  # This is a role image; avoid baking per-host secrets/keys. SSH host keys will be
  # generated at first boot by NixOS defaults.
  networking.hostName = lib.mkDefault "ec-runner";

  time.timeZone = lib.mkDefault "UTC";

  # Basic hygiene for unattended boxes.
  services.openssh.settings.PasswordAuthentication = false;
  services.openssh.settings.KbdInteractiveAuthentication = false;

  # Enable serial console logs where possible (helps in headless bring-up).
  boot.kernelParams = [
    "console=tty0"
  ];

  # Required by NixOS.
  system.stateVersion = "24.11";
}