nixos-config/hosts/cave/configuration.nix

{
  pkgs,
  lib,
  inputs,
  config,
  ...
}: let
  sshKeys = import ../../crypto/ssh-keys.nix;
in {
  imports = [
    # Defaults
    ./hardware-configuration.nix
    ../../common/base.nix
    ../../common/full-install.nix

    # Localization
    ../../common/locales/en.nix
    ../../common/locales/fr-keymap.nix

    # Hardware
    #../../common/hardware/intel-cpu.nix
    # ../../common/hardware/tpm2.nix
    ../../common/hardware/wireless.nix
    # ../../common/hardware/nvidia-gpu.nix
    #../../common/hardware/nvidia-gpu-offload.nix
    ../../common/hardware/ssd.nix
    ../../common/hardware/btrfs.nix

    # Software components
    # ../../common/components/de/sddm.nix
    ../../common/components/de/plasma6.nix
    # ../../common/components/de/hyprland.nix

    # Programs
    ../../common/programs/steam.nix

    # Services
    # ../../common/services/auditd.nix
    # ../../common/services/nix-gc.nix
    ../../common/services/opensnitch.nix
    # ../../common/services/adguardhome.nix
    ../../common/services/syncthing.nix
    ../../common/services/usbguard.nix
    ../../common/services/autoupgrade.nix

    # Home-manager
    ../../home/tasia/home.nix

    inputs.agenix.nixosModules.default
    ../../common/components/wifi-secrets.nix

    # inputs.thymis.nixosModules.thymis-controller
    # Personal modules
    # ../../modules/nixos/tildefriends.nix
    ./yubikey.nix
  ];

  # RGB Keyboard backight
  #boot.extraModulePackages = with config.boot.kernelPackages; [hid-ite8291r3];

  #services.udev.extraRules = ''
  #  ACTION=="add", SUBSYSTEM=="leds", DEVPATH=="*:kbd_backlight", TEST=="color", ATTR{color}="fc4f05"
  #'';

  # Nvidia GPU
  #hardware.nvidia.prime = {
  #  intelBusId = "PCI:1:0:0";
  #  nvidiaBusId = "PCI:0:2:0";
  #};

  networking = {
    hostName = "cave";

    firewall = {
      allowedTCPPorts = [
        # 8080 # ?
        80
        443
        3001
        8000
        # 8008 # ssb
        # 12345 # tildefriends
        # 13378 # audiobookshelf
      ];
      allowedUDPPorts = [
        # 8080 # ?
      ];
    };
  };

  users.users.tasia.openssh.authorizedKeys.keys = [
    sshKeys.tasia.cave
  ];

  virtualisation.docker.enable = true;
  services.flatpak.enable = true;

  services.syncthing = {
    user = "tasia";
    dataDir = lib.mkForce "/home/tasia/Sync/data";
    configDir = lib.mkForce "/home/tasia/Sync/configuration";
  };

  # Needed to build enry
  #boot.binfmt.emulatedSystems = ["aarch64-linux"];

  environment.systemPackages = with pkgs; [
    inputs.tildefriends.packages.${system}.default

    osu-lazer-bin
    prismlauncher

    sherlock
    whois
    android-tools

    ripgrep
    lsd
    viu
    logseq
    nix-tree
    android-studio
    lutris

    # nheko
    iamb
    ladybird
    lynx

    chirp
    yubikey-manager

    inputs.agenix.packages.x86_64-linux.default

    sdrpp
    gqrx
    rtl-sdr
    grim # screenshot functionality
    slurp # screenshot functionality
    wl-clipboard # wl-copy and wl-paste for copy/paste from stdin / stdout
    mako # notification system developed by swaywm maintainer
  ];

  # Enable the gnome-keyring secrets vault.
  # Will be exposed through DBus to programs willing to store secrets.
  services.gnome.gnome-keyring.enable = true;

  # enable sway window manager
  programs.sway = {
    enable = true;
    wrapperFeatures.gtk = true;
  };

  hardware.rtl-sdr.enable = true;
  users.users.tasia.extraGroups = ["plugdev"];

  boot.kernelParams = ["modprobe.blacklist=dvb_usb_rtl28xxu"]; # blacklist this module

  services.udev.packages = [pkgs.rtl-sdr];

  fonts.packages = with pkgs; [
    (nerdfonts.override {fonts = ["CascadiaCode"];})
  ];

  # programs.adb.enable = true;

  # services.nginx.enable = true;
  # services.nginx.virtualHosts."test.vulpecula.zone" = {
  #   # addSSL = true;
  #   # enableACME = true;
  #   root = "/www";
  # };
  # security.acme = {
  #   acceptTerms = true;
  #   defaults.email = "tasiaiso@proton.me";
  # };

  services.printing.drivers = [pkgs.cnijfilter2];

  # services.uptime-kuma.enable = true;
  nixpkgs.config.permittedInsecurePackages = [
    "olm-3.2.16"
    "electron-27.3.11"
  ];

  # services.mattermost = {
  #   enable = true;
  #   siteUrl = "https://mattermost.example.com"; # Set this to the URL you will be hosting the site on.
  # };

  # todo: ci runner

  # services.ollama = {
  #   enable = true;
  #   # acceleration = "cuda";
  # };

  # services.gotosocial = {
  #   enable = true;
  #   setupPostgresqlDB = true;
  #   settings = {
  #     application-name = "My GoToSocial";
  #     host = "gotosocial.example.com";
  #     protocol = "http";
  #     bind-address = "127.0.0.1";
  #     port = 8080;
  #   };
  # };

  # environment.etc."nextcloud-admin-pass".text = "Devdevdev10!";
  # services.nextcloud = {
  #   enable = true;
  #   package = pkgs.nextcloud29;
  #   hostName = "localhost";
  #   config.adminpassFile = "/etc/nextcloud-admin-pass";
  # };

  #  services.rustdesk-server = {
  #    enable = true;
  #    openFirewall = true;
  # relayIP = "100.91.88.2";
  # };

  # users.users.lol = {
  #   isNormalUser = true;
  #   description = "lol";
  #   extraGroups = [
  #     "networkmanager"
  #     # "wheel"
  #     # "syncthing"
  #     # "tss"
  #     # "dialout"
  #     # "vboxusers"
  #     # "adbusers"
  #   ];
  #   initialPassword = "password123";
  # };

  # netwobking
  # ipvx dns-search = "";
  # wifi mac-address-blacklist = "";
  # wifisec auth-alg = "open";

  # services.thymis-controller = {
  #   enable = true;
  #   system-binfmt-aarch64-enable = true; # enables emulation of aarch64 binaries, default is true on x86_64, needed for building aarch64 images on x86_64
  #   system-binfmt-x86_64-enable = false; # enables emulation of x86_64 binaries, default is false
  #   repo-path = "/var/lib/thymis/repository"; # directory where the controller will store the repository holding the project
  #   database-url = "sqlite:////var/lib/thymis/thymis.sqlite"; # URL of the database
  #   base-url = "https://cave/"; # base URL of the controller, how it will be accessed from the outside
  #   auth-basic = true; # whether to enable authentication using a basic username/password
  #   auth-basic-username = "admin"; # username for basic authentication
  #   auth-basic-password-file = "/var/lib/thymis/auth-basic-password"; # file containing the password for basic authentication
  #   # content will be automatically generated if it does not exist
  #   listen-host = "127.0.0.1"; # host on which the controller listens for incoming connections
  #   listen-port = 33100; # port on which the controller listens for incoming connections
  #   nginx-vhost-enable = false; # whether to enable the Nginx virtual host
  #   nginx-vhost-name = "thymis"; # name of the Nginx virtual host
  # };
  # # Configure the Nginx virtual host
  # services.nginx = {
  #   enable = true;
  #   virtualHosts."thymis" = {
  #     serverName = "cave";
  #     enableACME = true;
  #     forceSSL = true;
  #   };
  # };
  # security.acme.defaults.email = "tasiaiso@proton.me";

  security.acme.acceptTerms = true;
  # https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion
  system.stateVersion = "23.11";
}