nixcfg/modules/nixos/services/base/default.nix

{
  options,
  config,
  lib,
  pkgs,
  ...
}:
with lib;
with lib.metacfg;
let
  cfg = config.metacfg.base;
in
{
  options.metacfg.base = with types; {
    enable = mkBoolOpt false "Whether or not to enable the base config.";

  };

  config = mkIf cfg.enable {
    # Configure console keymap
    console.keyMap = lib.mkDefault "us";

    # Select internationalisation properties.
    i18n.defaultLocale = "en_US.UTF-8";
    i18n.extraLocaleSettings = {
      LC_ADDRESS = "de_DE.UTF-8";
      LC_IDENTIFICATION = "de_DE.UTF-8";
      LC_MEASUREMENT = "de_DE.UTF-8";
      LC_MESSAGES = "en_US.UTF-8";
      LC_MONETARY = "de_DE.UTF-8";
      LC_NAME = "de_DE.UTF-8";
      LC_NUMERIC = "de_DE.UTF-8";
      LC_TELEPHONE = "de_DE.UTF-8";
      LC_TIME = "de_DE.UTF-8";
    };

    environment = {
      sessionVariables = {
        PATH = "$HOME/bin";
      };
      systemPackages =
        with pkgs;
        [
          age
          bash
          btop
          cifs-utils
          clevis
          delta
          efibootmgr
          git
          git-crypt
          git-delete-merged-branches
          home-manager
          htop
          mosh
          nixpkgs-fmt
          openssl
          restic
          rrsync
          sbctl
          sops
          strace
          tmux
          vim
          virt-manager
          wget
          (pkgs.writeShellScriptBin "qemu-system-x86_64-uefi" ''
            qemu-system-x86_64 \
              -bios ${pkgs.OVMF.fd}/FV/OVMF.fd \
              "$@"
          '')
        ]
        ++ lib.optionals pkgs.stdenv.targetPlatform.isx86_64 (
          with pkgs;
          [
            tpm2-pkcs11
            tpm2-pkcs11.out
            tpm2-tools
          ]
        );
      shells = [
        pkgs.fish
        pkgs.bash
      ];
    };

    hardware = {

      cpu = {
        amd.updateMicrocode = pkgs.stdenv.targetPlatform.isx86_64;
        intel.updateMicrocode = pkgs.stdenv.targetPlatform.isx86_64;
      };

      enableRedistributableFirmware = lib.mkDefault true;
      enableAllFirmware = true;
    };

    programs = {
      dconf.enable = true;
      bash = {
        ## shellInit = ''
        interactiveShellInit = ''
          bind '"\e[A": history-search-backward'
          bind '"\e[B": history-search-forward'
        '';
      };
      starship.enable = true;
      mosh.enable = true;
      vim = {
        defaultEditor = true;
        enable = true;
      };
      fish.enable = true;
    };

    documentation.man.generateCaches = false;
    # powerManagement.cpuFreqGovernor = "ondemand";

    services = {
      dbus.implementation = "broker";
      dbus.packages = [ pkgs.gcr ];
      fwupd.enable = true;
      openssh = {
        enable = true;
        settings.PermitRootLogin = "prohibit-password";
        settings.X11Forwarding = true;
      };
    };

    security = {
      tpm2.enable = lib.mkDefault true;
      tpm2.abrmd.enable = lib.mkDefault true;
      sudo = {
        enable = true;
        wheelNeedsPassword = lib.mkDefault true;
      };
    };

    time.timeZone = "Europe/Berlin";

    users.users.root.openssh.authorizedKeys.keys = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMNsmP15vH8BVKo7bdvIiiEjiQboPGcRPqJK0+bH4jKD harald@lenovo.fritz.box"
      "sk-ecdsa-sha2-nistp256@openssh.com AAAAInNrLWVjZHNhLXNoYTItbmlzdHAyNTZAb3BlbnNzaC5jb20AAAAIbmlzdHAyNTYAAABBBACLgT81iB1iWWVuXq6PdQ5GAAGhaZhSKnveQCvcNnAOZ5WKH80bZShKHyAYzrzbp8IGwLWJcZQ7TqRK+qZdfagAAAAEc3NoOg== harald@hoyer.xyz"
      "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIDsb/Tr69YN5MQLweWPuJaRGm+h2kOyxfD6sqKEDTIwoAAAABHNzaDo= harald@fedora.fritz.box"
    ];

    boot = {
      tmp.cleanOnBoot = true;
      loader = {
        systemd-boot.enable = lib.mkDefault true;
        efi.canTouchEfiVariables = true;
        timeout = 2;
      };
      initrd.systemd.enable = true;
    };

    system.autoUpgrade = {
      flags = [
        "--update-input"
        "nixpkgs"
        "--update-input"
        "unstable"
        "--update-input"
        "nixsgx-flake"
        "--update-input"
        "home-manager"
        "--no-write-lock-file"
        "-L"
      ];
      flake = lib.mkDefault "git+https://git.hoyer.xyz/harald/nixcfg";
    };

    systemd.services.nixos-upgrade = {
      path = [ pkgs.metacfg.rot8000 ];
      environment.GIT_CONFIG_GLOBAL = "${config.environment.etc.gitconfig.source}";
      environment.GIT_CONFIG_SYSTEM = "${config.environment.etc.gitconfig.source}";
      environment.GIT_CONFIG = "${config.environment.etc.gitconfig.source}";
    };

    programs.git.enable = true;

    programs.git.config = {
      "filter \"rot8000\"" = {
        smudge = "${pkgs.metacfg.rot8000}/bin/rot8000";
        clean = "${pkgs.metacfg.rot8000}/bin/rot8000";
      };
    };

    virtualisation.libvirtd.enable = lib.mkDefault true;

    boot.tmp.useTmpfs = true;
    systemd.services.nix-daemon.environment.TMPDIR = "/var/tmp";

    services.fstrim.enable = true;
  };
}