1{
 2  hostname,
 3  config,
 4  pkgs,
 5  lib,
 6  ...
 7}:
 8{
 9  imports = [
10    ./boot.nix
11    ./console.nix
12    ./hardware.nix
13    ./locale.nix
14    ./nh.nix
15    ./network.nix
16    ./tpm.nix
17
18    # All my machines have this running
19    ../services/avahi.nix
20    ../services/openssh.nix
21    ../services/prometheus-exporters-node.nix
22    ../services/wireguard.nix
23    ../programs/age.nix
24    # ../services/wireguard.nix # or netbird
25  ];
26
27  networking = {
28    hostName = hostname;
29    # useDHCP = lib.mkDefault true;
30  };
31
32  environment.systemPackages = with pkgs; [
33    acct
34    binutils
35    curl
36    detach # For detached session management
37    # f2
38    file
39    htop
40    iotop
41    killall
42    lsof
43    netcat
44    pciutils
45    psmisc
46    pv
47    ripgrep
48    rsync
49    shpool-ssh-wrapper # For smart shpool SSH session management
50    traceroute
51    tree
52    usbutils
53    vim
54    wget
55    yq-go
56  ];
57
58  programs = {
59    zsh.enable = true;
60  };
61
62  services = {
63    # Only keep the last 500MiB of systemd journal.
64    journald.extraConfig = "SystemMaxUse=500M";
65  };
66
67  security = {
68    polkit.enable = true;
69    rtkit.enable = true;
70    pam.sshAgentAuth.enable = true;
71  };
72
73  # Clear out /tmp after a fortnight and give all normal users a ~/tmp
74  # cleaned out weekly.
75  systemd.tmpfiles.rules = [
76    "d /tmp 1777 root root 14d"
77  ]
78  ++ (
79    let
80      mkTmpDir = n: u: "d ${u.home}/tmp 0700 ${n} ${u.group} 7d";
81    in
82    lib.mapAttrsToList mkTmpDir (lib.filterAttrs (_: u: u.isNormalUser) config.users.extraUsers)
83  );
84
85  services.fwupd.enable = true;
86
87  # Process accounting — logs every exec for usage-metrics tracking
88  systemd.services.acct = {
89    description = "GNU Process Accounting";
90    wantedBy = [ "multi-user.target" ];
91    serviceConfig = {
92      Type = "oneshot";
93      RemainAfterExit = true;
94      ExecStartPre = "${pkgs.bash}/bin/bash -c '${pkgs.coreutils}/bin/mkdir -p /var/log/account && ${pkgs.coreutils}/bin/touch /var/log/account/pacct'";
95      ExecStart = "${pkgs.acct}/bin/accton /var/log/account/pacct";
96      ExecStop = "${pkgs.acct}/bin/accton off";
97    };
98  };
99}