{ lib, config, pkgs, self, ... }:

let
  cfg = config.services.every-channel.runner;
in
{
  options.services.every-channel.runner = {
    enable = lib.mkEnableOption "every.channel runner base system profile";

    overlayRoot = {
      enable = lib.mkOption {
        type = lib.types.bool;
        default = false;
        description = ''
          If enabled, mount the real root filesystem read-only and layer a tmpfs-backed
          overlayfs upperdir on top. This makes runtime mutations non-persistent while
          still allowing normal operation.

          Note: for reliable in-place upgrades, mount `/boot` and `/nix` as separate
          persistent filesystems outside the overlay.
        '';
      };
    };
  };

  config = lib.mkIf cfg.enable {
    # Minimal, conservative baseline for headless runners.
    networking.useDHCP = lib.mkDefault true;
    services.openssh.enable = lib.mkDefault true;

    # Keep Nix flakes available on the runner itself.
    nix.settings.experimental-features = lib.mkDefault [ "nix-command" "flakes" ];

    # Provide the flake source tree at a stable path (symlink into /nix/store).
    environment.etc."every-channel/flake".source = self;

    environment.systemPackages = with pkgs; [
      git
      jq
      curl
    ];

    # Appliance defaults: avoid persistence-by-accident in logs.
    services.journald.storage = lib.mkDefault "volatile";

    # GC defaults to keep store growth bounded on unattended boxes.
    nix.gc.automatic = lib.mkDefault true;
    nix.gc.dates = lib.mkDefault "weekly";
    nix.gc.options = lib.mkDefault "--delete-older-than 14d";
    boot.loader.systemd-boot.configurationLimit = lib.mkDefault 10;

    boot.initrd.kernelModules = lib.mkIf cfg.overlayRoot.enable [ "overlay" ];

    # Make the on-disk root read-only and provide a tmpfs-backed writable layer.
    # This runs after the real root has been mounted at /mnt-root by stage-1.
    boot.initrd.postMountCommands = lib.mkIf cfg.overlayRoot.enable ''
      set -euo pipefail

      # If something else already overlaid the root (e.g. installer media), do nothing.
      if mountpoint -q /mnt-root; then
        if grep -q " /mnt-root overlay " /proc/mounts; then
          exit 0
        fi
      fi

      mkdir -p /mnt-root/.ec-overlay/ro /mnt-root/.ec-overlay/rw

      # Move the real root mount out of the way, then remount it read-only.
      mount --move /mnt-root /mnt-root/.ec-overlay/ro
      mount -o remount,ro /mnt-root/.ec-overlay/ro

      # Upper/work go on tmpfs so mutations disappear on reboot.
      mount -t tmpfs tmpfs /mnt-root/.ec-overlay/rw -o mode=0755
      mkdir -p /mnt-root/.ec-overlay/rw/upper /mnt-root/.ec-overlay/rw/work

      mount -t overlay overlay /mnt-root \
        -o lowerdir=/mnt-root/.ec-overlay/ro,upperdir=/mnt-root/.ec-overlay/rw/upper,workdir=/mnt-root/.ec-overlay/rw/work
    '';
  };
}