nixos/modules/base-system.nix

# Settings that most of my hosts can agree on, but
# some of these settings are overriden on a per-host basis.
{
  pkgs,
  lib,
  config,
  inputs,
  ...
}: let
  cfg = config.settings;
  inherit (lib) mkDefault;

  highSSHPort = 38611;

  vpnInterface = config.services.tailscale.interfaceName;
  enableHydraMinion = config.services.openssh.enable;
in {
  imports = [
    ./hdparm.nix
    ./malte.nix
    ./marie.nix
    ./deck.nix
    ./radicale.nix
    ./wakeup.nix
    ./state.nix
  ];

  options.settings = with lib; {
    nvidiaUsed = mkEnableOption "NVIDIA graphic card usage";
    minimalGnome.enable = mkEnableOption "basic gnome stuff";
    ssh.openOutsideVPN = mkEnableOption "an additional ssh port outside the VPN";
    batteryStuff.enable = mkEnableOption "battery-related things";
    hiDPI.enable = mkEnableOption "High-DPI display";
  };

  config = {
    # Allow joypixels' license and unfree licenses in general
    nixpkgs.config = {
      # TODO: Fix once allowUnfree works for home-manager again
      allowUnfreePredicate = _: true;
      joypixels.acceptLicense = true;
    };
    # Some overlays
    nixpkgs.overlays = [
      (_: super: {
        "2i-emulator" = super.callPackage ../pkgs/2i-emulator.nix {};
        boilr = super.callPackage ../pkgs/boilr.nix {};
        # Add fonts
        hackNerdLigatures = super.callPackage ../pkgs/hack.nix {};
        darkman = super.callPackage ../pkgs/darkman.nix {};
      })
    ];
    # This includes the firmware, oc
    hardware.enableRedistributableFirmware = true;
    # Add certificate authority used for my servers
    security.pki.certificates = [
      (builtins.readFile ../secrets/ca.crt)
    ];

    system.nixos.label = let
      rev =
        if builtins.hasAttr "dirtyShortRev" inputs.self
        then inputs.self.dirtyShortRev
        else inputs.self.shortRev;
    in
      (builtins.concatStringsSep "-" (builtins.sort (x: y: x < y) config.system.nixos.tags)) + config.system.nixos.version + "-SHA:${rev}";

    # Use some binary caches
    nix.settings = {
      # add binary caches
      trusted-public-keys = [
        "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
        "nixpkgs-wayland.cachix.org-1:3lwxaILxMRkVhehr5StQprHdEo4IrE8sRho9R9HOLYA="
        "cache.home:/ioV+oXpVgxDOZJvXIWmnyL83ERT4W6eW4SDEpnRbxU="
        "hyprland.cachix.org-1:a7pgxzMz7+chwVL3/pzj6jIBMioiJM7ypFP8PwtkuGc="
      ];
      substituters = [
        "https://cache.nixos.org"
        "https://nixpkgs-wayland.cachix.org"
        "https://hyprland.cachix.org"
      ];
      trusted-users =
        [
          # Hand the wheel group extra nix daemon rights
          "@wheel"
          # The hydra-minion is trusted aswell
        ]
        ++ lib.optional enableHydraMinion config.users.users.hydra-minion.name;
    };
    nix.nixPath = ["nixpkgs=${inputs.nixpkgs}"];

    users.users.hydra-minion = lib.mkIf enableHydraMinion {
      description = "Hydra Minion for remote building";
      isSystemUser = true;
      home = "/home/hydra-minion";
      createHome = true;
      useDefaultShell = true;
      group = config.users.groups.hydra-minion.name;
      openssh.authorizedKeys.keyFiles = [
        ../users/malte/yubikey.pub
        ../secrets/hydra-overseer.pub
      ];
    };
    users.groups.hydra-minion = lib.mkIf enableHydraMinion {};

    # Make sure that I can login over the tailscale infrastructure while increasing security
    services.openssh = {
      enable = pkgs.lib.mkDefault true;
      ports = [22 highSSHPort];
      openFirewall = false;
    };
    networking.firewall.interfaces.${vpnInterface} = {
      # Allow default port over VPN
      allowedTCPPorts = [22 highSSHPort];
    };
    # Add extra high port if requested for those outside the VPN
    networking.firewall.allowedTCPPorts = lib.optional cfg.ssh.openOutsideVPN highSSHPort;
    # Tailscale exit node seem to have a problem with strict checking
    networking.firewall.checkReversePath = "loose";
    # Add yubikey for root authentication
    users.users.root.openssh.authorizedKeys.keyFiles = [../users/malte/yubikey.pub];
    # Enable mosh for some SSH superpower
    programs.mosh.enable = pkgs.lib.mkDefault true;

    # Basic packages
    environment.systemPackages = with pkgs; [
      # I might need git for rebuilding this flake on the remote machine
      git
      # Sops is for security
      sops
      # top is lacking pizzazz
      btop
      # An initial `tailscale up` is necessary to get the network going
      tailscale
      # I will need to have access to helix
      helix
      # I much rather use some tools other than the default
      fd
      # For highlighting log files
      tailspin
      # For spacing log files
      spacer
      # DiskUsage improvements
      du-dust
      # R.I.P. grep
      ripgrep
    ];

    # Language and timezone defaults
    time.timeZone = "Europe/Berlin";
    i18n.supportedLocales = [
      "en_US.UTF-8/UTF-8"
      "de_DE.UTF-8/UTF-8"
    ];

    # Use the latest kernel, this is altered on some hosts with zfs requirements
    boot.kernelPackages = pkgs.lib.mkOverride 2000 pkgs.linuxPackages_latest;
    boot.loader.timeout = pkgs.lib.mkDefault 1;
    # This setting is fine, on hosts with x/wayland, I'll want to increase this
    boot.loader.systemd-boot.configurationLimit = lib.mkDefault 10;

    # Network configuration with tailscale
    networking.useDHCP = false;
    # Enable tailscale!
    services.tailscale = {
      enable = true;
      interfaceName = "looking-glas";
    };
    networking.firewall.allowedUDPPorts = [config.services.tailscale.port];

    # Regularly clear the store
    nix.gc = {
      automatic = true;
      dates = lib.mkDefault "weekly";
    };

    # Enable store optimiser
    nix.optimise = {
      automatic = true;
      dates = ["04:00"];
    };

    # GNOME
    # Don't forget to import DISPLAY into dbus variables
    programs.dconf.enable = mkDefault cfg.minimalGnome.enable;
    programs.seahorse.enable = mkDefault cfg.minimalGnome.enable;
    services.gnome.at-spi2-core.enable = mkDefault cfg.minimalGnome.enable;
    services.gnome.gnome-keyring.enable = mkDefault cfg.minimalGnome.enable;
    services.dbus.packages = lib.optional cfg.minimalGnome.enable pkgs.gcr;
  };
}