{ pkgs, config, lib, inputs, self, name, ... }: { imports = [ inputs.home-manager.nixosModules.home-manager inputs.nixos-facter-modules.nixosModules.facter inputs.disko.nixosModules.disko inputs.sops-nix.nixosModules.sops inputs.nix-snapshotter.nixosModules.nix-snapshotter ./lanzaboote.nix ./tidal.nix ./stylix.nix ./wireguard.nix ./gnome.nix ./compliance.nix ./cinnamon.nix ./ssh.nix ./desktop.nix ./server.nix ./prometheus.nix ./kubernetes ./data-sharing.nix ./backups.nix ]; options = { pim.sops-nix = { colmenaSopsFile = lib.mkOption { type = lib.types.path; default = "${self}/secrets/${name}/colmena.yaml"; }; usersWithSopsKeys = lib.mkOption { type = lib.types.listOf lib.types.str; default = lib.optional (! config.deployment.allowLocalDeployment) "root"; }; }; }; config = { time.timeZone = "Europe/Amsterdam"; hardware.pulseaudio.enable = false; sops.age.keyFile = "/root/.config/sops/age/keys.txt"; i18n = { defaultLocale = "en_US.UTF-8"; extraLocaleSettings = let extraLocale = "nl_NL.UTF-8"; in { LC_ADDRESS = extraLocale; LC_IDENTIFICATION = extraLocale; LC_MEASUREMENT = extraLocale; LC_MONETARY = extraLocale; LC_NAME = extraLocale; LC_NUMERIC = extraLocale; LC_PAPER = extraLocale; LC_TELEPHONE = extraLocale; LC_TIME = extraLocale; }; }; deployment.keys = lib.pipe config.pim.sops-nix.usersWithSopsKeys [ (lib.map ( user: let homeDirectory = if user == "root" then "/root" else "/home/${user}"; sopsFile = config.pim.sops-nix.colmenaSopsFile; in { name = "${user}-sops-age"; value = { keyCommand = ["nix" "run" "nixpkgs#sops" "--" "--extract" "[\"sops_nix_keys\"][\"${user}\"]" "-d" (builtins.toString sopsFile)]; name = "keys.txt"; destDir = "${homeDirectory}/.config/sops/age"; inherit user; group = "users"; }; } )) builtins.listToAttrs ]; systemd = { services.NetworkManager-wait-online.enable = lib.mkForce false; network.wait-online.enable = lib.mkForce false; }; services = { xserver.excludePackages = [pkgs.xterm]; printing.drivers = [pkgs.hplip pkgs.gutenprint]; tailscale.enable = true; pipewire = { alsa.enable = true; alsa.support32Bit = true; pulse.enable = true; jack.enable = true; }; }; environment = { systemPackages = with pkgs; [ age btop btrfs-progs curl dig exfat f3 fastfetch file git jq ripgrep sbctl tree vim wget yq ncdu lshw sops ]; }; system.activationScripts.diff = '' if [[ -e /run/current-system ]]; then ${pkgs.nix}/bin/nix store diff-closures /run/current-system "$systemConfig" fi ''; security = { rtkit.enable = true; sudo.extraConfig = '' Defaults timestamp_timeout=30 ''; }; nix = { package = pkgs.nixVersions.stable; extraOptions = '' experimental-features = nix-command flakes ''; gc = { automatic = true; persistent = true; dates = "weekly"; options = "--delete-older-than 7d"; }; }; networking = { hostName = name; useDHCP = lib.mkDefault true; networkmanager.unmanaged = lib.mkIf config.services.tailscale.enable ["tailscale0"]; wireless.extraConfig = '' p2p_disabled=1 ''; }; nixpkgs = { config = { allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [ "libfprint-2-tod1-goodix" "steam" "steam-original" "steam-run" "steam-unwrapped" ]; }; overlays = [ inputs.nur.overlays.default (final: _prev: { unstable = import inputs.nixpkgs-unstable { inherit (pkgs) system; config.allowUnfree = true; }; }) ]; }; boot.kernel.sysctl = { "net.core.default_qdisc" = "fq"; "net.ipv4.tcp_congestion_control" = "bbr"; }; home-manager = { useGlobalPkgs = true; useUserPackages = true; extraSpecialArgs = {inherit self inputs;}; sharedModules = ["${self}/home-manager"]; }; }; }