{ lib, ... }:

{
  options.nomarchy.system = {
    dns = lib.mkOption {
      type = lib.types.enum [ "Cloudflare" "Google" "DHCP" "Custom" ];
      default = "DHCP";
      description = "Selected DNS provider.";
    };
    customDns = lib.mkOption {
      type = lib.types.listOf lib.types.str;
      default = [];
      description = "List of custom DNS servers.";
    };
    wifi = {
      powersave = lib.mkOption {
        type = lib.types.bool;
        default = true;
        description = "Whether to enable wifi power saving.";
      };
    };
    timezone = lib.mkOption {
      type = lib.types.str;
      default = "UTC";
      description = "System timezone.";
    };
    features = {
      fingerprint = lib.mkOption {
        type = lib.types.bool;
        default = false;
        description = "Whether to enable fingerprint support.";
      };
      fido2 = lib.mkOption {
        type = lib.types.bool;
        default = false;
        description = "Whether to enable FIDO2 support.";
      };
      hybridGPU = lib.mkOption {
        type = lib.types.bool;
        default = false;
        description = "Whether to enable hybrid GPU support (supergfxd).";
      };
    };
    theme = lib.mkOption {
      type = lib.types.str;
      default = "summer-night";
      description = "Selected system theme.";
    };

    # ----- Tier 1 system features (all opt-in, no behavioural change off) ---

    snapper = {
      enable = lib.mkEnableOption ''
        Snapper-driven BTRFS timeline snapshots of `/`. Auto-disables when
        `/` isn't BTRFS. Includes a `nixos-rebuild-snap` wrapper that takes
        a "Pre-rebuild" snapshot before each switch.
      '';
    };

    hibernation = {
      enable = lib.mkEnableOption ''
        suspend-then-hibernate (lid close, idle, power button). NOTE: this
        requires a disk swap device or swapfile sized to at least RAM —
        zRAM alone is not enough.
      '';
      idleMinutes = lib.mkOption {
        type = lib.types.int;
        default = 30;
        description = "Idle minutes before suspend-then-hibernate fires.";
      };
    };

    containers = {
      enable = lib.mkEnableOption ''
        Rootless Podman with Docker compatibility (`docker` → `podman`),
        plus podman-compose, podman-tui and dive.
      '';
    };

    virtualization = {
      libvirt = {
        enable = lib.mkEnableOption ''
          libvirt daemon + virt-manager + OVMF. The user must be in the
          `libvirtd` group.
        '';
      };
    };

    keyring = {
      enable = lib.mkOption {
        type = lib.types.bool;
        default = true;
        description = ''
          Auto-unlock GNOME Keyring at SDDM/Hyprland login and route SSH
          keys through `gcr-ssh-agent`. Default on — near-universal QoL
          improvement.
        '';
      };
    };

    inputMethod = {
      enable = lib.mkEnableOption ''
        fcitx5 input method (CJK / IME). Wires NixOS's i18n.inputMethod and
        autostarts fcitx5-daemon. Adds a small footprint when enabled, so
        most users want this off.
      '';
    };

    voxtype = {
      enable = lib.mkEnableOption ''
        voxtype voice-typing integration. NOTE: voxtype is not packaged in
        nixpkgs — when enabled, install voxtype yourself (e.g. via
        `home.packages = [ (pkgs.callPackage … {}) ]`). With this off the
        SUPER+CTRL+X keybinding and waybar widget are no-ops.
      '';
    };
  };
}