nixos/hosts/murex-pecten.nix

{ config, pkgs, ... }:

{
  # Use the systemd-boot EFI boot loader.
  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;

  networking = {
    hostName = "murex-pecten";
    networkmanager.enable = true;
  };

  system.fsPackages = [ pkgs.sshfs ];

  services.xserver.enable = true;
  services.xserver.displayManager.gdm.enable = true;
  services.xserver.desktopManager.gnome.enable = true;

  sound.enable = true;
  hardware.pulseaudio.enable = true;

  # Define a user account. Don't forget to set a password with ‘passwd’.
  users = {
    # I like my users unmutable
    mutableUsers = false;

    # Myself
    users.malte = {
      description = "Malte Tammena";
      hashedPassword =
        "$6$zqEC2iJJ98Ne$lRERO30msyjJm7oJCqRD/xj3NIm4De37gD.VUzfg7aceosE/6S6eNAaruIakgUtSC970MHRPoNlCEy1RoFuyh.";
      isNormalUser = true;
      extraGroups = [
        "wheel"
        "networkmanager"
        "video"
        "lp"
        "kvm"
        "libvirtd"
        "podman"
        "scanner"
        config.users.groups.keys.name
      ];
      # Yes, use the best, please
      shell = pkgs.fish;
    };
  };
  home-manager.users.malte.imports = [ ../users/malte/home.nix ];

  programs.fish.enable = true;

  fonts = {
    enableDefaultFonts = true;
    fonts = with pkgs; [ firaCodeNerd noto-fonts noto-fonts-cjk joypixels ];
    fontconfig = {
      enable = true;
      defaultFonts.monospace = [ "FiraCode Nerd Font" ];
    };
  };

  # Configure GPG with SSH support and enable the yubikey
  programs.gnupg.agent = {
    enable = true;
    enableSSHSupport = true;
    pinentryFlavor = "qt";
  };

  security.pam = {
    yubico = {
      enable = true;
      #id = "ccccccvblrrf";
      #control = "required";
      mode = "challenge-response";
      debug = false;
    };
    #services.login = {
    #name = "login";
    ## Fix when https://github.com/NixOS/nixpkgs/pull/105319 lands..
    #text = pamLogin;
    #};
    #services.swaylock = {
    #  name = "swaylock";
    #  fprintAuth = true;
    #  unixAuth = true;
    #};
  };

  services.udev.customRules = [
    # Rename the Scarlett Solo using udev
    {
      name = "85-scarlett-solo";
      rules = ''
        SUBSYSTEM=="usb", ENV{ID_MODEL_ID}=="8211", ENV{ID_VENDOR_ID}=="1235", TAG+="systemd", SYMLINK+="scarlett_solo"
      '';
    }
    {
      name = "85-yubikey";
      rules = ''
        SUBSYSTEM=="usb", ENV{ID_MODEL_ID}=="0407", ENV{ID_VENDOR_ID}=="1050", TAG+="systemd", SYMLINK+="yubikey"
      '';
    }
  ];

  virtualisation = {
    podman = {
      enable = true;
      # Create a `docker` alias for podman, to use it as a drop-in replacement
      dockerCompat = true;
      dockerSocket.enable = true;
      defaultNetwork.dnsname.enable = true;
    };
  };

  programs.dconf.enable = true;

  programs.steam.enable = true;

  services.dbus.packages = with pkgs; [ gnome3.dconf ];
  services.udev.packages = with pkgs; [
    yubikey-personalization
    chrysalis
    openrgb
  ];

  sops.defaultSopsFile = ../secrets/hosts/murex-pecten/secrets.yaml;
  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
  # TODO: Improve this
  sops.secrets."restic-backup-malte" = {
    sopsFile = ../secrets/users/malte/secrets.yaml;
    owner = "malte";
    mode = "0400";
    key = "restic-backup";
  };

  environment.systemPackages = with pkgs; [ thunderbolt chrysalis openrgb ];

  services.printing.enable = true;
  services.fwupd.enable = true;
  services.devmon.enable = true;

  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions
  # on your system were taken. It‘s perfectly fine and recommended to leave
  # this value at the release version of the first install of this system.
  # Before changing this value read the documentation for this option
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
  system.stateVersion = "21.11"; # Did you read the comment?

}