xin/hosts/litr/default.nix

{ config, pkgs, lib, ... }:

let
  pubKeys = [
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIITjFpmWZVWixv2i9902R+g5B8umVhaqmjYEKs2nF3Lu qbit@tal.tapenet.org"
    "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIA7khawMK6P0fXjhXXPEUTA2rF2tYB2VhzseZA/EQ/OtAAAAC3NzaDpncmVhdGVy qbit@litr.bold.daemon"
    "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIB1cBO17AFcS2NtIT+rIxR2Fhdu3HD4de4+IsFyKKuGQAAAACnNzaDpsZXNzZXI= qbit@litr.bold.daemon"
    "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBB/V8N5fqlSGgRCtLJMLDJ8Hd3JcJcY8skI0l+byLNRgQLZfTQRxlZ1yymRs36rXj+ASTnyw5ZDv+q2aXP7Lj0= hosts@secretive.plq.local"
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO7v+/xS8832iMqJHCWsxUZ8zYoMWoZhjj++e26g1fLT europa"
  ];

  userBase = { openssh.authorizedKeys.keys = pubKeys; };

in {
  _module.args.isUnstable = true;
  imports = [ ./hardware-configuration.nix ../../overlays/default.nix ];

  doas.enable = true;
  kde.enable = true;
  jetbrains.enable = true;
  sshFidoAgent.enable = true;

  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;
  boot.blacklistedKernelModules = [ "dvb_usb_rtl28xxu" ];

  boot.kernelPackages = pkgs.linuxPackages_latest;

  networking.hostName = "litr";
  networking.hosts."172.16.30.253" = [ "proxmox-02.vm.calyptix.local" ];
  networking.hosts."127.0.0.1" = [ "borg.calyptix.dev" "localhost" ];
  networking.hosts."192.168.122.133" = [ "arst.arst" "vm" ];

  networking.networkmanager.enable = true;

  preDNS.enable = false;

  sops.secrets = {
    tskey = {
      sopsFile = config.xin-secrets.litr.secrets;
      owner = "root";
      mode = "400";
    };
  };

  systemd.services = {
    "tailscale-init" = {
      wantedBy = [ "tailscaled.service" ];
      after = [ "tailscaled.service" ];
      serviceConfig = {
        ExecStart =
          "${pkgs.tailscale}/bin/tailscale up --auth-key file://${config.sops.secrets.tskey.path}";
      };
    };
  };

  environment.systemPackages = with pkgs; [
    arcanPackages.all-wrapped
    aircrack-ng
    apg
    barrier
    barrier
    firefox
    fzf
    gnome.gnome-keyring
    ispell
    jitsi-meet-electron
    keychain
    kismet
    matterhorn
    mercurial
    mosh
    mupdf
    nfs-utils
    nmap
    nodejs
    notejot
    oathToolkit
    obs-studio
    openvpn
    rbw
    rust-analyzer
    silver-searcher
    sshfs
    tcpdump
    teams
    tor
    uucp
    vlc
    vscode
    wireshark
    virt-manager

    google-chrome-dev
  ];

  nixpkgs.config.allowUnfree = true;

  virtualisation.libvirtd.enable = true;
  programs.dconf.enable = true;

  services = {
    fwupd.enable = true;
    unifi.enable = true;
    openntpd.enable = true;
    resolved = {
      enable = true;
      dnssec = "allow-downgrade";
    };
  };

  networking.firewall = {
    allowedTCPPorts = [ 22 ];
    checkReversePath = "loose";
  };

  users.users.root = userBase;
  users.users.abieber = userBase // {
    isNormalUser = true;
    shell = pkgs.zsh;
    extraGroups = [ "wheel" "networkmanager" "libvirtd" ];
  };

  programs.zsh.enable = true;

  system.stateVersion = "20.03"; # Did you read the comment?
}