{ config, lib, inputs, master, modulesPath, pkgs, unstable, vpngate, ... }: { imports = [ (modulesPath + "/installer/scan/not-detected.nix") ]; security.sudo-rs = { enable = true; execWheelOnly = true; wheelNeedsPassword = true; }; boot = { kernelModules = [ "kvm-amd" ]; kernelPackages = pkgs.linuxPackages; kernelParams = [ "amd_iommu=on" ]; loader = { efi.canTouchEfiVariables = true; efi.efiSysMountPoint = "/boot/efi"; grub = { enable = true; device = "nodev"; efiSupport = true; enableCryptodisk = true; }; }; supportedFilesystems = [ "ntfs" ]; initrd = { availableKernelModules = [ "ahci" "nvme" "sd_mod" "usb_storage" "usbhid" "xhci_pci" ]; luks.devices."root" = { allowDiscards = true; device = "/dev/disk/by-uuid/89a14ac5-7723-4a0a-bb95-fb2fb2e92160"; preLVM = true; keyFile = "./keyfile0.bin"; }; secrets = { "keyfile0.bin" = "/etc/secrets/initrd/keyfile0.bin"; }; }; }; environment.systemPackages = with pkgs; [ bleachbit calibre chromium clamtk cryptsetup dbeaver-bin discord freefilesync gimp-with-plugins google-chrome hardinfo2 httpie-desktop heroic iputils kdePackages.bluedevil kdePackages.kcalc kdePackages.kcharselect kdePackages.kclock kdePackages.kcolorchooser kdePackages.ksystemlog kdePackages.partitionmanager kdePackages.sddm-kcm libation lutris mupen64plus nfs-utils onlyoffice-desktopeditors opensnitch-ui pciutils pika-backup pinentry-curses pinta protonup-qt qbittorrent qemu traceroute unrar unstable.beszel unstable.mcpelauncher-ui-qt unstable.obsidian unstable.podman unstable.podman-compose unstable.podman-desktop unstable.ryubing unstable.signal-desktop-bin unstable.tailscale unstable.zoom-us usbutils virt-manager vlc vpngate.packages.x86_64-linux.default wayland-utils whois wine wl-clipboard ]; fileSystems = { "/" = { device = "/dev/disk/by-uuid/7f4f0948-041c-47e9-ab28-53132026f158"; fsType = "ext4"; }; "/boot/efi" = { device = "/dev/disk/by-uuid/F1BD-5227"; fsType = "vfat"; }; "/mnt/synology-2b/media" = { device = "192.168.1.178:/volume1/Media"; fsType = "nfs"; }; "/mnt/truenas/home/backups" = { device = "192.168.1.132:/mnt/wd4t/data/home/backup/"; fsType = "nfs"; }; }; fonts.packages = with pkgs; [ dejavu_fonts fira-mono font-awesome google-fonts liberation_ttf nerd-fonts.droid-sans-mono nerd-fonts.fira-code nerd-fonts.symbols-only nerd-fonts.ubuntu nerd-fonts.ubuntu-mono noto-fonts noto-fonts-cjk-sans noto-fonts-color-emoji noto-fonts ]; fonts.fontconfig.defaultFonts = { sansSerif = [ "Noto Sans" ]; serif = [ "Noto Serif" ]; monospace = [ "Noto Sans Mono" ]; emoji = [ "Noto Color Emoji" ]; }; nixpkgs = { hostPlatform = "x86_64-linux"; config = { allowUnfree = true; }; }; networking = { iproute2.enable = true; hostName = "hephaestus"; hostId = "0e8aad53"; interfaces."enp34s0" = { useDHCP = true; wakeOnLan = { enable = true; policy = [ "magic" ]; }; }; firewall = { allowPing = false; enable = true; checkReversePath = "loose"; trustedInterfaces = [ "tailscale0" ]; }; }; users.users.beszel = { isSystemUser = true; group = "beszel"; description = "Beszel Agent service user"; }; users.groups.beszel = { }; systemd.services = { NetworkManager-wait-online.enable = false; beszel-agent = { description = "Beszel Agent Service"; after = [ "network-online.target" ]; wants = [ "network-online.target" ]; wantedBy = [ "multi-user.target" ]; serviceConfig = { Environment = [ "PORT=45876" ''KEY="ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEaNtnkc+3+fJU+bTO6fibID9FHgFjei0sjJNqvcYtG8"'' ]; ExecStart = "${lib.getBin unstable.beszel}/bin/beszel-agent"; User = "beszel"; Restart = "always"; RestartSec = 5; }; }; }; system = { autoUpgrade.enable = true; stateVersion = "25.11"; activationScripts = { diff = { supportsDryActivation = true; text = '' if [[ -e /run/current-system ]]; then echo -e "\e[36mPackage version diffs:\e[0m" ${pkgs.nvd}/bin/nvd --nix-bin-dir=${pkgs.nix}/bin diff /run/current-system "$systemConfig" fi ''; }; }; }; nix = { extraOptions = "experimental-features = nix-command flakes"; settings.trusted-users = [ "root" "@wheel" ]; }; users.users.dave = { isNormalUser = true; extraGroups = [ "wheel" "libvirtd" ]; shell = pkgs.fish; }; i18n.defaultLocale = "en_US.UTF-8"; i18n.inputMethod = { enable = true; type = "ibus"; ibus.engines = with pkgs.ibus-engines; [ anthy ]; }; time.timeZone = "America/Toronto"; hardware.bluetooth.enable = true; hardware.graphics = { enable = true; enable32Bit = true; }; hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; documentation.man.generateCaches = false; programs = { fish.enable = true; gnupg.agent = { enable = true; enableSSHSupport = true; }; kdeconnect.enable = true; nix-ld.enable = true; steam = { enable = true; remotePlay.openFirewall = true; }; }; services.avahi = { enable = true; nssmdns4 = true; publish = { enable = true; addresses = true; domain = true; hinfo = true; userServices = true; workstation = true; }; }; services = { desktopManager.plasma6.enable = true; displayManager.sddm.enable = true; displayManager.sddm.wayland.enable = true; }; services.printing.enable = true; services.resolved.enable = true; services.sshd.enable = true; services.tailscale = { enable = true; package = unstable.tailscale; }; services.clamav.daemon.enable = true; services.clamav.updater.enable = true; services.opensnitch = { enable = true; rules = { avahi-ipv4 = { name = "Allow avahi daemon IPv4"; enabled = true; action = "allow"; duration = "always"; operator = { type = "list"; operand = "list"; list = [ { type = "simple"; operand = "process.path"; sensitive = false; data = "${lib.getBin pkgs.avahi}/bin/avahi-daemon"; } { type = "network"; operand = "dest.network"; data = "224.0.0.0/24"; } ]; }; }; systemd-timesyncd = { name = "systemd-timesyncd"; enabled = true; action = "allow"; duration = "always"; operator = { type = "simple"; sensitive = false; operand = "process.path"; data = "${lib.getBin pkgs.systemd}/lib/systemd/systemd-timesyncd"; }; }; systemd-resolved = { name = "systemd-resolved"; enabled = true; action = "allow"; duration = "always"; operator = { type = "simple"; sensitive = false; operand = "process.path"; data = "${lib.getBin pkgs.systemd}/lib/systemd/systemd-resolved"; }; }; localhost = { name = "Allow all localhost"; enabled = true; action = "allow"; duration = "always"; operator = { type = "regexp"; operand = "dest.ip"; sensitive = false; data = "^(127\\.0\\.0\\.1|::1)$"; list = [ ]; }; }; nix-update = { name = "Allow Nix"; enabled = true; action = "allow"; duration = "always"; operator = { type = "list"; operand = "list"; list = [ { type = "simple"; sensitive = false; operand = "process.path"; data = "${lib.getBin pkgs.nix}/bin/nix"; } { type = "regexp"; operand = "dest.host"; sensitive = false; data = "^(([a-z0-9|-]+\\.)*github\\.com|([a-z0-9|-]+\\.)*nixos\\.org)$"; } ]; }; }; NetworkManager = { name = "Allow NetworkManager"; enabled = true; action = "allow"; duration = "always"; operator = { type = "list"; operand = "list"; list = [ { type = "simple"; sensitive = false; operand = "process.path"; data = "${lib.getBin pkgs.networkmanager}/bin/NetworkManager"; } { type = "simple"; operand = "dest.port"; sensitive = false; data = "67"; } { type = "simple"; operand = "protocol"; sensitive = false; data = "udp"; } ]; }; }; ssh-github = { name = "Allow SSH to github"; enabled = true; action = "allow"; duration = "always"; operator = { type = "list"; operand = "list"; list = [ { type = "simple"; sensitive = false; operand = "process.path"; data = "${lib.getBin pkgs.openssh}/bin/ssh"; } { type = "simple"; operand = "dest.host"; sensitive = false; data = "github.com"; } ]; }; }; }; }; virtualisation = { podman.enable = true; libvirtd = { enable = true; qemu.swtpm.enable = true; }; }; }