{ inputs, lib, pkgs, ... }: let inherit (lib) mkForce ; in { imports = [ inputs.disko.nixosModules.disko ./hardware-configuration.nix ./disko-config.nix ../desktop.nix ../../modules/nixos/deterministic-ids.nix ../../users/jordan ]; nixpkgs = { hostPlatform = "x86_64-linux"; config = { permittedInsecurePackages = [ "broadcom-sta-6.30.223.271-59-6.12.63" ]; }; }; age.rekey.hostPubkey = ./ssh_host_ed25519_key.pub; boot = { loader = { systemd-boot.enable = true; efi.canTouchEfiVariables = true; }; initrd.systemd = { enable = true; extraBin.cryptsetup = "${pkgs.cryptsetup}/bin/cryptsetup"; services."zfs-import-rpool".after = [ "cryptsetup.target" ]; }; tmp.useTmpfs = true; }; console.earlySetup = true; systemd.network.enable = true; systemd.network.wait-online.enable = false; networking = { hostId = "cf791898"; useNetworkd = true; dhcpcd.enable = false; firewall = { enable = true; allowedTCPPorts = [ 22 # SSH ]; }; }; services.resolved = { enable = true; dnssec = "false"; fallbackDns = [ "9.9.9.9" "2620:fe::fe" "1.1.1.1" "2606:4700:4700::1111" ]; llmnr = "false"; extraConfig = '' MulticastDNS=false ''; }; # Workaround for label rendering bug in GTK4 with nvidia 470 driver environment.sessionVariables.GSK_RENDERER = "gl"; environment.persistence."/persist".enable = mkForce true; environment.persistence."/state".enable = mkForce true; modules = { system.desktop.gnome.enable = mkForce false; }; services.openssh.settings.PermitRootLogin = mkForce "prohibit-password"; users = { users = { root = { openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILVHTjsyMIV4THNw6yz0OxAxGnC+41gX72UrPqTzR+OS jordan@vimium.com" ]; }; }; }; users.deterministicIds = let uidGid = id: { uid = id; gid = id; }; in { systemd-oom = uidGid 999; systemd-coredump = uidGid 998; sshd = uidGid 997; nscd = uidGid 996; polkituser = uidGid 995; rtkit = uidGid 994; lpadmin = uidGid 993; }; system.stateVersion = "22.11"; }