nix/framework/configuration.nix

{ config, pkgs, ... }:

let
  sources = import ./sources.nix;
  #lanzaboote = import sources.lanzaboote;
  greetdSwayConfig = pkgs.writeText "greetd-sway-config" ''
    # `-l` activates layer-shell mode. Notice that `swaymsg exit` will run after gtkgreet.
    exec "${pkgs.greetd.gtkgreet}/bin/gtkgreet -l -c sway; swaymsg exit"
    bindsym Mod4+shift+e exec swaynag \
      -t warning \
      -m 'What do you want to do?' \
      -b 'Poweroff' 'systemctl poweroff' \
      -b 'Reboot' 'systemctl reboot'
  '';
in
{
  imports = [
    <nixos-hardware/framework/12th-gen-intel>
    ./hardware-configuration.nix
    #lanzaboote.nixosModules.lanzaboote
    ../common/configuration/main.nix
  ];

  virtualisation = {
    podman.enable = true;
    podman.dockerCompat = true;
    # libvirtd.enable = true;
    # spiceUSBRedirection.enable = true;
  };

  hardware = {
    bluetooth.enable = true;
    pulseaudio.enable = false;
    opengl = {
      enable = true;
      driSupport32Bit = true;
      extraPackages = with pkgs; [ intel-media-driver vaapiIntel ];
    };
  };

  boot = {
    #bootspec.enable = false;

    loader = {
      efi.canTouchEfiVariables = true;

      systemd-boot = {
        enable = true;
        consoleMode = "auto";
        configurationLimit = 10;
      };
    };

    #lanzaboote = {
    #  enable = false;
    #  pkiBundle = "/etc/secureboot";
    #};

    kernelPackages = pkgs.linuxPackages_latest;
    kernelParams = [ 
      "quiet"
      "splash"
      "vga=current"
      "udev.log_level=3"
      "i915.enable_psr=2"
      "nvme.noacpi=1"
      "resume=/dev/disk/by-uuid/7e88d61f-5581-45fb-82f1-29a0e0caf4c0"
    ];

    blacklistedKernelModules = [ "hid_sensor_hub" ];

    supportedFilesystems = [ "ntfs" ];
    
    loader.timeout = 0;
    initrd.verbose = false;
    consoleLogLevel = 0;
    plymouth.enable = true;
  };

  networking = {
    hostName = "sijmen-framework";
    networkmanager = {
      enable = true;
      unmanaged = [ "wg0" "virbr0" ];
    };
    firewall = {
      allowedTCPPorts = [
        22      # ssh
        22000   # syncthing sync
        51414   # transmission
        57621   # spotify connect
        1313
        8000
        8080
      ];

      allowedUDPPorts = [
        21027   # syncthing discovery
        22000   # syncthing sync
        51820   # wireguard
      ];
    };

    wireguard.interfaces.wg0 = {
      ips = [ "10.100.0.4/32" ];
      listenPort = 51820;
      privateKeyFile = "/home/sijmen/.config/wireguard-keys/private";
      peers = [{
        publicKey = "zu9vXxxg4wm0R4yWQ2HPaAwJbizuccGYbBB/StwSsm4=";
        allowedIPs = [ "10.100.0.0/24" ];
        endpoint = "cloud.sijmenschoon.nl:51820";
        persistentKeepalive = 25;
      }];
    };

    extraHosts = ''
    #127.0.0.3 youtube.com
    #127.0.0.3 www.youtube.com
    #127.0.0.3 i.ytimg.com
    '';
  };

  environment.etc."greetd/environments".text = ''
    sway
    bash
  '';

  services = {
    greetd = {
      enable = true;
      settings = {
        default_session.command = "${pkgs.sway}/bin/sway --config ${greetdSwayConfig}";
      };
    };

    syncthing = {
      overrideDevices = true;
      overrideFolders = true;

      devices = {
        nas.id = "5XADATO-6ZKNZFK-YIX2TU3-RTUOAXR-OMWOAH6-OIUB7LE-TWM5B3C-W2I2FQU";
        desktop-fedora.id = "RE3BCEP-2FVDNPA-C72KDCX-5NRTLD4-DEJZAIX-PJAMJAN-LJDFHOY-WOXNPQW";
      };

      folders = {
        "vhuse-qjbcl" = {
          path = "${config.users.users.sijmen.home}/Sync";
          devices = [ "nas" "desktop-fedora" ];
        };
      };
    };

    pipewire = {
      enable = true;
      alsa = { enable = true; support32Bit = true; };
      pulse.enable = true;
    };

    tlp = {
      enable = true;
      settings = {
        INTEL_GPU_MIN_FREQ_ON_AC = "100";
        INTEL_GPU_MIN_FREQ_ON_BAT = "100";

        PCIE_ASPM_ON_BAT = "powersupersave";
        RUNTIME_PM_ON_BAT = "1";

        CPU_ENERGY_PERF_POLICY_ON_AC = "balance_performance";
        CPU_ENERGY_PERF_POLICY_ON_BAT = "balance_power";
        CPU_BOOST_ON_BAT = "0";
        CPU_BOOST_ON_AC = "1";
        CPU_HWP_DYN_BOOST_ON_BAT = "0";
        SCHED_POWERSAVE_ON_BAT = "1";
        NMI_WATCHDOG = "0";

        USB_AUTOSUSPEND = "1";
        USB_EXCLUDE_AUDIO = "1";
        USB_EXCLUDE_BTUSB = "0";

        # Bus 001 Device 040: ID 1050:0407 Yubico.com Yubikey 4/5 OTP+U2F+CCID
        # Bus 001 Device 038: ID 32ac:0002 Framework HDMI Expansion Card
        USB_ALLOWLIST="1050:0407 32ac:0002";
      };
    };

    avahi = {
      enable = true;
      nssmdns = true;
      openFirewall = true;
    };

    fwupd.extraRemotes = [ "lvfs-testing" ];
    fprintd.enable = true;
    ratbagd.enable = true;
    logind.lidSwitchDocked = "suspend";
    power-profiles-daemon.enable = false;
  };

  security = {
    pam.services.login.fprintAuth = true;
    pam.services.swaylock = {};
    polkit.enable = true;
  };

  environment.systemPackages = with pkgs; [
    gnome.adwaita-icon-theme
    ifuse
    libimobiledevice
    libheif
    sbctl
    polkit
    polkit_gnome
  ];

  programs.steam = {
    #enable = true;
    remotePlay.openFirewall = true;
    dedicatedServer.openFirewall = true;
  };

  nixpkgs.config = {
    packageOverrides = pkgs: {
      vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; };
    };
  };

  home-manager.users.sijmen.imports = [ ../common/dconf.nix ];

  systemd.services."suspend" = {
    enable = true;
    # TODO Should be `before`, but then fingerprint reader doesn't work
    after = [ "suspend.target" ];
    wantedBy = [ "suspend.target" ];
    serviceConfig = {
      # TODO Make username agnostic
      ExecStart = 
        "${pkgs.systemd}/bin/systemctl --user --machine=sijmen@ start --wait swaylock";
      Type = "oneshot";
    };
  };

  system.stateVersion = "22.05";
}