{ config, lib, pkgs, ... }:
let
  user = "dominik";
  home = "/home/${user}";
  npmPrefix = "${home}/.npm-global";
  node = pkgs.nodejs; # or pkgs.nodejs_20
in {
  home-manager.users.dominik = { config, lib, pkgs, ... }: {
    home.packages = with pkgs; [
      node
      gnutar     # provides `tar`
      gzip       # provides `gzip` used by tar
      unzip  
      python314  # useful for codex model use
      jq         # useful for JSON processing
      (pkgs.writeShellScriptBin "codex" ''
        #!${pkgs.bash}/bin/bash
        set -euo pipefail

        # Required dirs
        mkdir -p "$HOME/.cache/codex-tmp" "$HOME/.cache/xdg-runtime" "$HOME/.config" "$HOME/.cache" "$HOME/.local/share"
        chmod 700 "$HOME/.cache/codex-tmp" "$HOME/.cache/xdg-runtime" "$HOME/.config" "$HOME/.local/share"

        # Pass through cert vars if present (avoids TLS issues)
        EXTRA_ENV=()
        [ -n "''${SSL_CERT_FILE-}" ] && EXTRA_ENV+=(SSL_CERT_FILE="$SSL_CERT_FILE")
        [ -n "''${NIX_SSL_CERT_FILE-}" ] && EXTRA_ENV+=(NIX_SSL_CERT_FILE="$NIX_SSL_CERT_FILE")

        exec env -i \
          HOME="$HOME" \
          USER="''${USER:-$LOGNAME}" \
          SHELL="''${SHELL:-${pkgs.bash}/bin/bash}" \
          PATH="/run/current-system/sw/bin:/usr/bin:/bin" \
          XDG_RUNTIME_DIR="$HOME/.cache/xdg-runtime" \
          TMPDIR="$HOME/.cache/codex-tmp" \
          XDG_CONFIG_HOME="$HOME/.config" \
          XDG_CACHE_HOME="$HOME/.cache" \
          XDG_DATA_HOME="$HOME/.local/share" \
          "''${EXTRA_ENV[@]}" \
          ${npmPrefix}/bin/codex "$@"
      '')
    ];

    # Ensure ~/.npmrc with a user prefix (no sudo needed)
    home.file.".npmrc"= {
      text = ''
        prefix=${npmPrefix}
      '';
      force  = true;
    };


    # Ensure the npm bin dir is on PATH for all shells
    home.sessionPath = [
      "${npmPrefix}/bin"
    ];

    # Nice-to-have: visible variables in the shell
    home.sessionVariables = {
      NPM_CONFIG_PREFIX = npmPrefix;
    };

    # Auto-install @openai/codex if it's not already there
    # (idempotent on each `home-manager switch`)
    home.activation.installCodexCli = lib.hm.dag.entryAfter [ "writeBoundary" ] ''
      export PATH=${node}/bin:${pkgs.gnutar}/bin:${pkgs.gzip}/bin:${pkgs.unzip}/bin:${pkgs.curl}/bin:$PATH
      mkdir -p ${npmPrefix}
      if [ ! -x "${npmPrefix}/bin/codex" ]; then
        echo "Installing @openai/codex globally..."
        # --global uses prefix from ~/.npmrc; PATH has node for postinstall
        ${node}/bin/npm install -g @openai/codex
      fi
    '';
  };
}