1  { pkgs, ... }:
  2  {
  3    networking.hostName = "nurma";
  4    hosts.hyprland.enable = true;
  5    hosts.secureboot.enable = true;
  6    hosts.yubikey.enable = true;
  7  
  8    boot.kernelPackages = pkgs.linuxPackages_latest;
  9  
 10    # environment.systemPackages = [
 11    #   inputs.credentialsd.packages.${pkgs.system}.firefox-patched
 12    # ];
 13  
 14    # ssh-keygen -t ed25519 -C remote-build -f remote-build
 15    programs.ssh.extraConfig = ''
 16      Host eu.nixbuild.net
 17        PubkeyAcceptedKeyTypes ssh-ed25519
 18        ServerAliveInterval 60
 19        IPQoS throughput
 20        IdentityFile /root/.ssh/remote-build
 21    '';
 22  
 23    nix.settings = {
 24      substituters = [
 25        "https://nixos-raspberrypi.cachix.org"
 26      ];
 27      trusted-public-keys = [
 28        "nixos-raspberrypi.cachix.org-1:4iMO9LXa8BqhU+Rpg6LQKiGa2lsNh/j2oiYLNOQ5sPI="
 29      ];
 30    };
 31  
 32    hosts.borg = {
 33      enable = true;
 34      repository = "ssh://nads486h@nads486h.repo.borgbase.com/./repo";
 35      paths = [ "/home/martijn" ];
 36      identityPath = "/home/martijn/.ssh/id_ed25519_age";
 37      exclude = [
 38        ".cache"
 39        "*/cache2" # librewolf
 40        "*/Cache"
 41        ".wine"
 42        ".config/Slack/logs"
 43        ".config/Code/CachedData"
 44        ".container-diff"
 45        ".npm/_cacache"
 46        ".ollama"
 47        "Models"
 48        "Sync"
 49        "*/node_modules"
 50        "*/_build"
 51        "*/venv"
 52        "*/.venv"
 53        "/home/*/.local"
 54        "/home/*/Downloads"
 55        "/home/*/Data"
 56        "/home/*/.ssh"
 57      ];
 58    };
 59  
 60    environment.systemPackages = with pkgs; [
 61      # https://github.com/quickemu-project/quickemu/wiki/05-Advanced-quickemu-configuration
 62      quickemu
 63    ];
 64  
 65    users.users.martijn.extraGroups = [
 66      "libvirtd"
 67      "libvirt"
 68      "kvm"
 69      "adbusers"
 70    ];
 71  
 72    programs.virt-manager.enable = true;
 73  
 74    virtualisation = {
 75      waydroid.enable = false; # android
 76      libvirtd.enable = true; # virt-manager
 77      spiceUSBRedirection.enable = true;
 78    };
 79  
 80    services.qemuGuest.enable = true;
 81    services.spice-vdagentd.enable = true; # copy&paste
 82  
 83    hosts.tailscale.enable = true;
 84    hosts.prometheus.enable = true;
 85  
 86    programs = {
 87      steam.enable = true;
 88      winbox = {
 89        enable = true;
 90        package = pkgs.winbox4;
 91        openFirewall = true;
 92      };
 93    };
 94  
 95    hosts.openssh = {
 96      enable = false;
 97      allowUsers = [
 98        "*@100.64.0.0/10"
 99        "*@10.30.0.0/24"
100      ];
101    };
102  
103    services.xserver.videoDrivers = [ "amdgpu" ];
104  
105    # Enable binfmt emulation of aarch64-linux. (for the raspberry pi)
106    boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
107  
108    hosts.auditd = {
109      enable = true;
110      rules = [
111        "-w /home/martijn/.ssh -p rwa -k ssh_file_access"
112        "-w /home/martijn/Nix -p wa -k nix_config_changes"
113        "-w /dev/video0 -p war"
114      ];
115    };
116  
117    age = {
118      identityPaths = [ "/home/martijn/.ssh/id_ed25519_age" ];
119    };
120  }