1{
 2  hostname,
 3  config,
 4  pkgs,
 5  lib,
 6  ...
 7}:
 8{
 9  imports = [
10    ./boot.nix
11    ./console.nix
12    ./hardware.nix
13    ./locale.nix
14    ./nh.nix
15    ./network.nix
16    ./tpm.nix
17
18    # All my machine have this running
19    ../services/avahi.nix
20    ../services/openssh.nix
21    ../programs/age.nix
22    # ../services/wireguard.nix # or netbird
23  ];
24
25  networking = {
26    hostName = hostname;
27    # useDHCP = lib.mkDefault true;
28
29    # Use nftables as the firewall backend (default since NixOS 23.11)
30    # Explicitly enabled for clarity and to ensure iptables is not used
31    nftables.enable = lib.mkDefault true;
32  };
33
34  environment.systemPackages = with pkgs; [
35    binutils
36    curl
37    # f2
38    file
39    htop
40    iotop
41    killall
42    lsof
43    netcat
44    pciutils
45    psmisc
46    pv
47    ripgrep
48    rsync
49    traceroute
50    tree
51    usbutils
52    vim
53    wget
54    yq-go
55  ];
56
57  programs = {
58    zsh.enable = true;
59  };
60
61  services = {
62    # Only keep the last 500MiB of systemd journal.
63    journald.extraConfig = "SystemMaxUse=500M";
64  };
65
66  security = {
67    polkit.enable = true;
68    rtkit.enable = true;
69    pam.sshAgentAuth.enable = true;
70  };
71
72  # Clear out /tmp after a fortnight and give all normal users a ~/tmp
73  # cleaned out weekly.
74  systemd.tmpfiles.rules = [
75    "d /tmp 1777 root root 14d"
76  ]
77  ++ (
78    let
79      mkTmpDir = n: u: "d ${u.home}/tmp 0700 ${n} ${u.group} 7d";
80    in
81    lib.mapAttrsToList mkTmpDir (lib.filterAttrs (_: u: u.isNormalUser) config.users.extraUsers)
82  );
83
84  services.fwupd.enable = true;
85}