nixcfg/systems/x86_64-linux/x1/default.nix

{ pkgs, lib, config, ... }:
with lib;
with lib.metacfg;
{
  imports = [
    ./hardware-configuration.nix
    ./ipu.nix
  ];

  services.cratedocs-mcp.enable = true;

  sops.age.sshKeyPaths = [ "/var/lib/secrets/ssh_host_ed25519_key" ];
  sops.secrets."wg".sopsFile = ../../../.secrets/x1/files.yaml;
  sops.secrets."wg".mode = "0444";
  sops.secrets."hosts".sopsFile = ../../../.secrets/x1/files.yaml;
  sops.secrets."hosts".mode = "0444";

  environment.etc."wg0.backup.conf".source = config.sops.secrets."wg".path;
  environment.etc."hosts.backup".source = config.sops.secrets."hosts".path;

  services.openssh = {
    enable = true;
    hostKeys = [
      {
        path = "/var/lib/secrets/ssh_host_ed25519_key";
        type = "ed25519";
      }
      {
        path = "/var/lib/secrets/ssh_host_rsa_key";
        type = "rsa";
        bits = 4096;
      }
    ];
  };

  hardware.bluetooth.input.General.ClassicBondedOnly = false;
  services.udev.extraRules = ''
    KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="342d", ATTRS{idProduct}=="e4c5", MODE="0660", GROUP="users", TAG+="uaccess", TAG+="udev-acl"
    KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="342d", ATTRS{idProduct}=="e489", MODE="0660", GROUP="users", TAG+="uaccess", TAG+="udev-acl"
  '';

  metacfg = {
    base.enable = true;
    gui.enable = true;
    nix-ld.enable = true;
    nix.enable = true;
    podman.enable = true;
    secureboot.enable = true;
    homeprinter.enable = true;

    system = {
      limits = {
        enable = true;
        nofileLimit = 32768;
        memlockLimit = 32768;
      };
    };

    # User configuration
    tools = {
      direnv.enable = true;
    };
    user.extraGroups = [
      "docker"
      "dialout"
    ];
  };

  nixpkgs.config.permittedInsecurePackages = [
    "electron-27.3.11"
  ];

  environment.systemPackages = with pkgs; [
    attic-client
    azure-cli
    claude-code
    claude-desktop-with-fhs
    cloudflare-warp
    desktop-file-utils
    fabric-ai
    gemini-cli
    gnome-terminal
    gtypist
    k9s
    klavaro
    kubectl
    kubectx
    libcamera
    logseq
    ollama
    piper-tts
    tipp10
    uv
    vscode
  ];

  zramSwap.enable = true;

  services.ratbagd.enable = true;

  services.resolved.enable = true;
  #services.resolved.dnssec = "allow-downgrade";
  #services.resolved.extraConfig = ''
  #  ResolveUnicastSingleLabel=yes
  #'';

  systemd.packages = [ pkgs.cloudflare-warp ]; # for warp-cli

  virtualisation = {
    docker.enable = true;
    libvirtd.enable = true;
    podman.dockerCompat = false;
  };

  system.autoUpgrade = {
    enable = true;
    operation = "boot";
    allowReboot = false;
  };

  services.trezord.enable = true;

  services.ollama = {
    enable = false;
    acceleration = "rocm";
    environmentVariables = {
      HSA_OVERRIDE_GFX_VERSION = "10.1.0";
    };
  };

  environment.sessionVariables = {
    LIBVA_DRIVER_NAME = "iHD";
    # NIXOS_OZONE_WL = "1";
    # DRI_PRIME = "pci-0000_24_00_0";
    DRI_PRIME = "pci-0000_00_02_0";
  };

  system.stateVersion = "23.11";
}