# Do not modify this file!  It was generated by ‘nixos-generate-config’
# and may be overwritten by future invocations.  Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:

{
  imports = [
    (modulesPath + "/installer/scan/not-detected.nix")
  ];

  boot.kernelModules = [ "kvm-intel" ];
  boot.initrd.availableKernelModules = [
    "ahci"
    "nvme"
    "rng_core"
    "sd_mod"
    "sdhci_pci"
    "thunderbolt"
    "tpm"
    "tpm_crb"
    "tpm_tis"
    "tpm_tis_core"
    "trusted"
    "uas"
    "usb_storage"
    "usbhid"
    "xhci_pci"
    "uas"
  ];
  boot.initrd.kernelModules = [ ];
  boot.kernelParams = [
    "lockdown=confidentiality"
    "intel_iommu=on"
    "quiet"
    "splash"
    "video=efifb:nobgrt"

    # unsafe, but no secrets on that machine
    "noibrs"
    "noibpb"
    "nopti"
    "nospectre_v2"
    "nospectre_v1"
    "l1tf=off"
    "nospec_store_bypass_disable"
    "no_stf_barrier"
    "mds=off"
    "tsx=on"
    "tsx_async_abort=off"
    "mitigations=off"
    ];

  boot.extraModulePackages = [ ];

  services.btrfs.autoScrub.enable = true;
  swapDevices = [{ device = "/swapfile"; }];

  boot.initrd.luks.devices.crypted = {
    device = "/dev/nvme0n1p2";
    preLVM = true;
  };

  fileSystems = {
    "/" =
      {
        device = "/dev/mapper/crypted";
        fsType = "btrfs";
        options = [ "subvol=/rootfs" ];
        neededForBoot = true;
      };
    "/nix" = {
      device = "/dev/mapper/crypted";
      fsType = "btrfs";
      options = [ "subvol=/nix" ];
      neededForBoot = true;
    };
    "/home" = {
      device = "/dev/mapper/crypted";
      fsType = "btrfs";
      options = [ "subvol=/home" ];
    };
    "/persist" = {
      device = "/dev/mapper/crypted";
      fsType = "btrfs";
      options = [ "subvol=/persist" ];
      neededForBoot = true;
    };
    "/boot" =
      {
        device = "/dev/disk/by-partlabel/disk-one-ESP";
        fsType = "vfat";
      };
  };

  console.keyMap = "de-latin1-nodeadkeys";
  services.xserver.xkb = {
    layout = "de,de+us";
    variant = "nodeadkeys";
  };

  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.useDHCP = lib.mkDefault true;
  # networking.interfaces.enp82s0u1u3u4.useDHCP = lib.mkDefault true;
  # networking.interfaces.wlp0s20f3.useDHCP = lib.mkDefault true;

  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}