machine_setup/nix/configuration/configuration.nix

{
  config,
  lib,
  pkgs,
  home-manager,
  ...
}:

{
  imports = [
    ./roles/reset
    ./util/unfree_polyfill
    ./roles/iso
    "${
      builtins.fetchTarball {
        url = "https://github.com/nix-community/disko/archive/refs/tags/v1.9.0.tar.gz";
        sha256 = "0j76ar4qz320fakdii4659w5lww8wiz6yb7g47npywqvf2lbp388";
      }
    }/module.nix"
    ./roles/boot
    ./roles/zfs
    ./roles/network
    ./roles/firewall
    ./roles/zsh
    ./roles/zrepl
    ./roles/graphics
    ./roles/sound
    ./roles/sway
    ./roles/kanshi
    ./roles/alacritty
    ./roles/firefox
    ./roles/chromium
    ./roles/emacs
    ./roles/git
    ./roles/fonts
    ./roles/gpg
    ./roles/waybar
    ./roles/qemu
    ./roles/wireguard
    ./roles/ares
    ./roles/ssh
    ./roles/python
    ./roles/docker
    ./roles/kubernetes
    ./roles/rust
    ./roles/media
    ./roles/steam
    ./roles/latex
    ./roles/launch_keyboard
    ./roles/lvfs
    ./roles/nvme
    ./roles/terraform
    ./roles/vscode
    ./roles/wasm
    ./roles/vnc_client
    ./roles/chromecast
    ./roles/memtest86
  ];

  nix.settings.experimental-features = [
    "nix-command"
    "flakes"
  ];
  nix.settings.trusted-users = [ "@wheel" ];

  # boot.kernelPackages = pkgs.linuxPackages_6_11;
  hardware.enableRedistributableFirmware = true;

  services.getty = {
    autologinUser = "talexander"; # I use full disk encryption so the user password is irrelevant.
    autologinOnce = true;
  };
  users.mutableUsers = false;
  users.users.talexander = {
    isNormalUser = true;
    createHome = true; # https://github.com/NixOS/nixpkgs/issues/6481
    group = "talexander";
    extraGroups = [ "wheel" ];
    uid = 11235;
    packages = with pkgs; [
      tree
    ];
    # Generate with `mkpasswd -m scrypt`
    hashedPassword = "$7$CU..../....VXvNQ8za3wSGpdzGXNT50/$HcFtn/yvwPMCw4888BelpiAPLAxe/zU87fD.d/N6U48";
    openssh.authorizedKeys.keys = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGu+k5lrirokdW5zVdRVBOqEOAvAPlIkG/MdJNc9g5ky"
      "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIEI6mu6I5Jp+Ib0vJxapGHbEShZjyvzV8jz5DnzDrI39AAAABHNzaDo="
      "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIAFNcSXwvy+brYTOGo56G93Ptuq2MmZsjvRWAfMqbmMLAAAABHNzaDo="
    ];
  };
  users.groups.talexander.gid = 11235;
  home-manager.users.talexander =
    { pkgs, ... }:
    {
      home.packages = [
        pkgs.atool
        pkgs.httpie
      ];
      programs.bash.enable = true;

      # The state version is required and should stay at the version you
      # originally installed.
      home.stateVersion = "24.11";
    };

  # Automatic garbage collection
  nix.gc = lib.mkIf (!config.me.buildingIso) {
    # Runs nix-collect-garbage --delete-older-than 5d
    automatic = true;
    randomizedDelaySec = "14m";
    options = "--delete-older-than 30d";
  };
  nix.settings.auto-optimise-store = !config.me.buildingIso;

  # Use doas instead of sudo
  security.doas.enable = true;
  security.doas.wheelNeedsPassword = false;
  security.sudo.enable = false;
  security.doas.extraRules = [
    {
      # Retain environment (for example NIX_PATH)
      keepEnv = true;
      persist = true; # Only ask for a password the first time.
    }
  ];

  # Do not use default packages (nixos includes some defaults like nano)
  environment.defaultPackages = lib.mkForce [ ];

  environment.systemPackages = with pkgs; [
    wget
    mg
    rsync
    libinput
    htop
    tmux
    file
    usbutils # for lsusb
    pciutils # for lspci
    ripgrep
    strace
    ltrace
    trace-cmd # ftrace
    tcpdump
    git-crypt
    nix-index-unwrapped
    gnumake
    ncdu
  ];

  services.openssh = {
    enable = true;
    settings = {
      PasswordAuthentication = false;
      KbdInteractiveAuthentication = false;
    };
    hostKeys = [
      {
        path = "/persist/ssh/ssh_host_ed25519_key";
        type = "ed25519";
      }
      {
        path = "/persist/ssh/ssh_host_rsa_key";
        type = "rsa";
        bits = 4096;
      }
    ];
  };

  environment.persistence."/persist" = lib.mkIf (!config.me.buildingIso) {
    hideMounts = true;
    directories = [
      "/var/lib/iwd" # Wifi settings
      "/var/lib/nixos" # Contains user information (uids/gids)
      "/var/lib/systemd" # Systemd state directory for random seed, persistent timers, core dumps, persist hardware state like backlight and rfkill
      "/var/log/journal" # Logs, alternatively set `services.journald.storage = "volatile";` to write to /run/log/journal
    ];
    files = [
      "/etc/machine-id" # Systemd unique machine id "otherwise, the system journal may fail to list earlier boots, etc"
      "/etc/ssh/ssh_host_rsa_key"
      "/etc/ssh/ssh_host_rsa_key.pub"
      "/etc/ssh/ssh_host_ed25519_key"
      "/etc/ssh/ssh_host_ed25519_key.pub"
    ];
    # users.talexander = {
    #   directories = [];
    #   files = [];
    # };
  };

  # Write a list of the currently installed packages to /etc/current-system-packages
  environment.etc."current-system-packages".text =
    let
      packages = builtins.map (p: "${p.name}") config.environment.systemPackages;
      sortedUnique = builtins.sort builtins.lessThan (lib.unique packages);
      formatted = builtins.concatStringsSep "\n" sortedUnique;
    in
    formatted;

  # nixpkgs.overlays = [
  #   (final: prev: {
  #     nix = pkgs-unstable.nix;
  #   })
  # ];

  # Copy the NixOS configuration file and link it from the resulting system
  # (/run/current-system/configuration.nix). This is useful in case you
  # accidentally delete configuration.nix.
  # system.copySystemConfiguration = true;

  # This option defines the first version of NixOS you have installed on this particular machine,
  # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.
  #
  # Most users should NEVER change this value after the initial install, for any reason,
  # even if you've upgraded your system to a new NixOS release.
  #
  # This value does NOT affect the Nixpkgs version your packages and OS are pulled from,
  # so changing it will NOT upgrade your system - see https://nixos.org/manual/nixos/stable/#sec-upgrading for how
  # to actually do that.
  #
  # This value being lower than the current NixOS release does NOT mean your system is
  # out of date, out of support, or vulnerable.
  #
  # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration,
  # and migrated your data accordingly.
  #
  # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion .
  system.stateVersion = "24.11"; # Did you read the comment?

}