{pkgs, ...}: {
  # ----------------------------
  # Docker runtime (for UI only)
  # ----------------------------
  virtualisation.docker.enable = true;
  virtualisation.docker.autoPrune.enable = true;

  # ----------------------------
  # Ollama (native, stable core)
  # ----------------------------
  services.ollama = {
    enable = true;
    host = "127.0.0.1";
    port = 11434;
  };

  # ----------------------------
  # Persistent storage
  # ----------------------------
  systemd.tmpfiles.rules = [
    "d /var/lib/odysseus 0755 root root -"
  ];

  # ----------------------------
  # Odysseus UI container (minimal)
  # ----------------------------
  virtualisation.oci-containers.containers.odysseus = {
    image = "ghcr.io/pewdiepie-archdaemon/odysseus:latest";

    ports = [
      "7000:7000"
    ];

    volumes = [
      "/var/lib/odysseus:/app/data"
    ];

    environment = {
      LLM_HOST = "http://host.docker.internal:11434";
      AUTH_ENABLED = "true";
    };

    extraOptions = [
      "--add-host=host.docker.internal:host-gateway"
      "--restart=unless-stopped"
    ];
  };

  # ----------------------------
  # Optional: reverse proxy (clean URL)
  # ----------------------------
  services.nginx = {
    enable = true;

    virtualHosts."ai.local" = {
      locations."/" = {
        proxyPass = "http://127.0.0.1:7000";
        proxyWebsockets = true;
      };
    };
  };

  networking.firewall.allowedTCPPorts = [
    7000
  ];
}