platform/tos/hashmap/default.nix

{
  pkgs,
  nixpkgs,
  ...
}:
{
  networking = {
    hostName = "hashmap";
    domain = "obx";
    search = [ "obx" ];
    firewall.allowedTCPPorts = [ ];
    firewall.extraCommands = '''';
    resolvconf = {
      enable = false;
    };
    nameservers = [
      "100.100.100.100"
    ];
  };

  boot = {
    consoleLogLevel = 3;
    plymouth = {
      enable = true;
      theme = "ibm";
      themePackages = [
        (pkgs.adi1090x-plymouth-themes.override { selected_themes = [ "ibm" ]; })
      ];
    };
    tmp.cleanOnBoot = true;
    kernel = {
      sysctl = {
        "net.ipv4.ip_forward" = true;
      };
    };
    kernelParams = [
      # Quite boot
      "quiet"
      "udev.log_level=3"
    ];
    supportedFilesystems = [ "ntfs" ];
    loader.systemd-boot.enable = true;
    loader.efi.canTouchEfiVariables = true;
    initrd = {
      # Quiet boot
      verbose = false;
      # Use zstd compression instead of gzip for initrd
      compressor = "zstd";
      # Make boot more reliable by using systemd inside initrd
      systemd.enable = true;
    };
    initrd.luks.devices = {
      luksroot = {
        device = "/dev/nvme0n1p1";
        preLVM = true;
        allowDiscards = true;
      };
      luks-data = {
        device = "/dev/sda1";
        preLVM = true;
        allowDiscards = true;
      };
    };
    loader.grub = {
      enable = false;
      device = "/dev/sda1";
      configurationLimit = 3;
    };
  };

  # Use nvd to get package diff before apply
  system.activationScripts.system-diff = {
    supportsDryActivation = true; # safe: only outputs to stdout
    text = ''
      export PATH="${pkgs.lib.makeBinPath [ pkgs.nixVersions.latest ]}:$PATH"
      if [ -e /run/current-system ]; then
        ${pkgs.lib.getExe pkgs.nvd} diff '/run/current-system' "$systemConfig" || true
      fi
    '';
  };

  console = {
    font = "Lat2-Terminus16";
    keyMap = "us";
  };

  i18n = {
    defaultLocale = "en_US.UTF-8";
    extraLocaleSettings = {
      LC_CTYPE = "en_DK.UTF-8";
      LC_TIME = "en_DK.UTF-8";
      LC_PAPER = "en_DK.UTF-8";
      LC_NAME = "en_DK.UTF-8";
      LC_ADDRESS = "en_DK.UTF-8";
      LC_TELEPHONE = "en_DK.UTF-8";
      LC_MEASUREMENT = "en_DK.UTF-8";
      LC_IDENTIFICATION = "en_DK.UTF-8";
    };
  };

  time.timeZone = "Europe/Oslo";

  features = {
    desktop.enable = true;
    desktop.plasma.enable = true;

    os = {
      networkmanager.enable = true;
      externalInterface = "eno2";

      # NOTE: Use podman instead
      docker.enable = false;

      adminAuthorizedKeys = [
        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDULdlLC8ZLu9qBZUYsjhpr6kv5RH4yPkekXQdD7prkqapyoptUkO1nOTDwy7ZsKDxmp9Zc6OtdhgoJbowhGW3VIZPmooWO8twcaYDpkxEBLUehY/n8SlAwBtiHJ4mTLLcynJMVrjmTQLF3FeWVof0Aqy6UtZceFpLp1eNkiHTCM3anwtb9+gfr91dX1YsAOqxqv7ooRDu5rCRUvOi4OvRowepyuBcCjeWpTkJHkC9WGxuESvDV3CySWkGC2fF2LHkAu6SFsFE39UA5ZHo0b1TK+AFqRFiBAb7ULmtuno1yxhpBxbozf8+Yyc7yLfMNCyBpL1ci7WnjKkghQv7yM1xN2XMJLpF56v0slSKMoAs7ThoIlmkRm/6o3NCChgu0pkpNg/YP6A3HfYiEDgChvA6rAHX6+to50L9xF3ajqk4BUzWd/sCk7Q5Op2lzj31L53Ryg8vMP8hjDjYcgEcCCsGOcjUVgcsmfC9LupwRIEz3aF14AWg66+3zAxVho8ozjes= jonas.juselius@juselius.io"
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFbrEhm1acesXmbgfO5lN1gcTFXqusq61QyCZXunYJpl"
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIdcJteh9d/N1o8BbdEMRVxeMjm28saon/Oh2tV0+TYj"
        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC68qcYMBNNWjCoRo1OrfGe3OTBsHprPJPQwaywlOUM03xQLNyF2JcqY8wXJ+Hf2dOopJWOWnS5RwsOtxxV5bUX0tk7yPV38AKGhwW1Q0Xy//nGYypoe4JSvvLJLN4dWoBtkhJFQcJcdAbi6jRrDU1J8n2ZwPwFtQWoEwdm0Mq0H+MR6c97Xnl4pkjCHUOVxyaaCCzo1GSotAG2TQanwcbr5AOTptP3CRGOQ8D7T0iN1v5bJmP4fc6P/av30spOzKksksIg21aMHcted5K5I8XJymftfgJbHr5uKtsgrnHtx7qcPiISkoToQWRttYhTEj0GjLIJwCXZ5Fon1rCVWDW+VvhzI7PhXmhBEOHxuLeSuG3lC9L0NpWJkoIJo7WqMtFo3rJPmRQS6AWFy11SIjvsBQVfDk3Jz1QmV8dxM1ksyZzx5VQ0+zOqIsagjJJIHwKhxgNsVXSO/Hqrua5oCsdgSfnrNVujwagfxY9TQa0bNwYkEs79Oot9EiFdLi9wwrE= Simen Kirkvik (gitlab.com)"
        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC2tox0uyFGfU1zPNU6yAVSoGOUkeU959aiTMrqu1U9MCCOP2o4IhZIlRpZ08XVnUU/AhycCUF4HgGqdcco8oIVX0P0Cn83KJoD/DOqAiz+1VwIUUV1ylrRdNqCgf4wnmLni3sUPHJdQnuq57+pzDDjHMr9CcBL2KzOHD/QanfR+jZmv9K3OS5oDcWquSCziXkpbkWQURPactmtyzGK2FRRxONZgYrB8gRTDstlWQg/t6GHNVelzuJ7SEf+t8pk/S2e/XAvfZyRJhrVJ35iZKpmxkIn5v0g1Z+z0yX/KRSAPRtNg9uM44cmto77MFx7iFs0CuleL3zHvRvZYW1ZnsKAiP07UkEK87luMpkTzFr9CSHJGpgk1RZYA3qidQti44n6NU9YRNhzO4v+KQE6XDqO80gZCJboSXr3fnYn/QHpPXzK5JcZNWmClyMURYj10qv9So3Fh0o3LV5GThA6JgN874vUywUZanPEdn8ePBcAsjLRzA4YBGEuvJCc6FELSuY2s+/pFba8NXQvrOdJKSRC0g5USQFfaWDln4Q4zZ1G5z76p1u6GtRWxvakkUQ0fze9KAW7msxeKaw+B7uMtyvCL8V2zEE8WKFP1sNyYEe7Sgp3RVfym2VPMNTZVhEImfM/3D+WbzfoJztnJvFKXeeMCcne4G8swyef3o1s3b+CvQ== Simen Kirkvik (gitlab.com)"
        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDIQUQsPdS3Wvl46cPl6rBrAPDLX9r8tx1V7yVkr1GhP07hVYVcLV0wojMaB8Zi5kvr/sgBpiuU6oKNqx4+5gN70uQC+JbM5Orna8SoN4L2jfO2WgTMFZEqmDoyzCCglUl2EiqFDvKEC/dvFSjn/qJG6eUdEGpTuB/VQljidZMJrloq0kf4iYy0uaXdrkoKLlBEjXo1forlr2KAYq48PsTovyQxrDqG25UcRhjmoq0Ag7ZGquQXB8Ouwe+H/lVWQFJU+Vy4nqqvv1Fq/bQHW92dZDnlwrMyY6lVsp6Cgc3jzcB5dTfN9Zt+iaVFSE+Tojl04n1oKU4Z5kMbTPRTLLDgjlVRY9JGHOXNO8bqEPG0E7sNXBGSncie9nXnfDoVhXAd8KoVkvXCXYvS+pk82ig0ET+8HC7KRZysB5sqD++GbexbPZFYrOhEZYfvY00sOAVvFCh8h6sC1tXAvXZqUgvTClOINDh42NBs/vTmg6RoG57z1moTa5RsGlVAguKqaiE= Simen Kirkvik (gitlab.com)"
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII77Aa2MFZMTha8PdkNg32UR8y6Hwb4R0aR9Ad9qifNq"
      ];
    };
  };

  virtualisation = {
    podman.enable = true;
    # gitlab-runner will enable this by default, but we want podman instead
    docker.enable = false;
    podman.autoPrune.enable = true;
    # Enable Docker compatibility socket
    podman.dockerCompat = true;
    podman.dockerSocket.enable = true;
    oci-containers.backend = "podman";
    containers.storage.settings = {
      storage.graphroot = "/var/lib/containers/storage";
      storage.runroot = "/run/containers/storage";
    };
    containers.containersConf.settings = {
      # podman seems to not work with systemd-resolved
      containers.dns_servers = [
        "8.8.8.8"
        "8.8.4.4"
      ];
    };
  };
  # without this, when podman changes, it will be restarted, which will kill the build
  # in the middle of restarting services and leave things in a bad state.
  systemd.services.podman.restartIfChanged = false;

  services.tailscale = {
    enable = true;
    useRoutingFeatures = "client";
    extraUpFlags = [
      "--login-server=https://headscale.svc.oceanbox.io"
      "--accept-dns=true"
      "--accept-routes"
    ];
  };

  services.resolved = {
    enable = true;
    fallbackDns = [
      "1.1.1.1"
    ];
  };

  nixpkgs.config.allowUnfreee = true;

  nix = {
    nixPath = [
      "nixpkgs=${nixpkgs}"
    ];
    package = pkgs.nixVersions.stable;
    settings = {
      nix-path = [
        "nixpkgs=${nixpkgs}"
      ];
      # Cleanup
      auto-optimise-store = true;
      # Keep them for debugging
      keep-derivations = true;
      keep-outputs = true;
      experimental-features = [
        "nix-command"
        "flakes"
        "pipe-operators"
      ];
    };
    gc = {
      automatic = true;
      dates = "weekly";
      options = "--delete-older-than 14d";
    };
    extraOptions = ''
      # See https://jackson.dev/post/nix-reasonable-defaults/
      connect-timeout = 5
      download-attempts = 2
      log-lines = 25
      warn-dirty = false
      fallback = true
      http-connections = 128
      max-substitution-jobs = 128
      # Only brings pain
      flake-registry = ""
    '';
  };

  imports = [
    ./users.nix
    ./hardware-configuration.nix
  ];
}